[Samba] Usage of '--domain-guid' parameter of 'samba-tool domain provision'
Olivier MARTIN
olivier at labapart.com
Fri May 19 08:50:11 UTC 2023
Thanks Andrew for your reply.
Actually, I started to dive into the code just before your answer to try
to analyze and potentially fix the issue. But after stepping back I
actually realized I was looking at the wrong LDAP entry!
My initial intention was to set the domain controller's GUID to a known
GUID to avoid to regenerate certificates when I recreate my Samba AD DC
environment - such as the certificate generation is explained here:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script
But I have actually realized I mixed "Domain GUID" and "Domain
Controller GUID"! When I looked at the domain GUID in the LDAP
directory, I confirm I can find the one specified in the command line
"samba-tool domain provision" :-)
sudo ldbsearch --basedn="DC=samdom,DC=demo,DC=com" "objectclass=domain"
dn: DC=samdom,DC=demo,DC=com
objectClass: top
objectClass: domain
objectClass: domainDNS
instanceType: 5
whenCreated: 20230512211402.0Z
uSNCreated: 10
name: samdom
objectGUID: a5291573-906f-467d-9d63-451204bb9abb
objectSid: S-1-5-21-1683713074-1702463723-3046006099
objectCategory:
CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com
dc: samdom
(...)
So, there is no bug - only misunderstanding from my side :-)
So I guess, I have no choice to regenerate the certificate of my domain
controller when I recreate my Samba AD DC domain environment.
On 16.05.23 07:29, Andrew Bartlett wrote:
> On Thu, 2023-05-11 at 23:50 +0200, Olivier MARTIN via samba wrote:
>> Hello,
>>
>> I was hoping to reprovision the same domain by specifying the domain
>> GUID in the command line tool 'samba-tool domain provision' but I am
>> not
>> sure if I missed something or if there is a bug but the specified
>> domain
>> GUID is not the one which is created for my domain.
>> Specifying the domain SID seems to work as I would expect.
>>
>> I tested it with Samba shipped by Debian 11 (samba2
>> 4.13.13+dfsg-1~deb11u5) and the latest release 'samba-4.18.2'.
>>
>>
>> *For Samba **4.13.13 packaged by Debian 11:*
>>
>> 1. I provision my domain specifying the domain name, its GUID and
>> SID:
>>
>> sudo samba-tool domain provision --use-rfc2307 --
>> realm=SAMDOM.DEMO.COM --domain=samdom --server-role=dc --dns-
>> backend=SAMBA_INTERNAL --adminpass=D3m0H3l10 --domain-guid=a5291573-
>> 906f-467d-9d63-451204bb9abb --domain-sid=S-1-5-21-1683713074-
>> 1702463723-3046006099
>
>
>> Is it a bug or have I misunderstood the purpose of '--domain-guid'?
> The code is similar for --domain-sid and --domain-guid and the
> intention is as you expect, to set the domain guid, being the
> objectGUID of the domain DN, but I note that the only test we have is
> to show that we don't abort or fault with --domain-guid specified, we
> don't check if it worked.
>
> More tests are welcome if you would like to contribute them.
>
> Finally, if you let me know why you want to rebuild your domain,
> I might be able to help you with that.
>
> Sorry,
>
> Andrew Bartlett
>
More information about the samba
mailing list