[Samba] Usage of '--domain-guid' parameter of 'samba-tool domain provision'
Rowland Penny
rpenny at samba.org
Fri May 19 10:20:26 UTC 2023
On 19/05/2023 09:50, Olivier MARTIN via samba wrote:
> Thanks Andrew for your reply.
>
> Actually, I started to dive into the code just before your answer to try
> to analyze and potentially fix the issue. But after stepping back I
> actually realized I was looking at the wrong LDAP entry!
>
> My initial intention was to set the domain controller's GUID to a known
> GUID to avoid to regenerate certificates when I recreate my Samba AD DC
> environment - such as the certificate generation is explained here:
> https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script
>
> But I have actually realized I mixed "Domain GUID" and "Domain
> Controller GUID"! When I looked at the domain GUID in the LDAP
> directory, I confirm I can find the one specified in the command line
> "samba-tool domain provision" :-)
>
> sudo ldbsearch --basedn="DC=samdom,DC=demo,DC=com" "objectclass=domain"
>
> dn: DC=samdom,DC=demo,DC=com
> objectClass: top
> objectClass: domain
> objectClass: domainDNS
> instanceType: 5
> whenCreated: 20230512211402.0Z
> uSNCreated: 10
> name: samdom
> objectGUID: a5291573-906f-467d-9d63-451204bb9abb
> objectSid: S-1-5-21-1683713074-1702463723-3046006099
> objectCategory:
> CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com
> dc: samdom
> (...)
>
>
> So, there is no bug - only misunderstanding from my side :-)
>
> So I guess, I have no choice to regenerate the certificate of my domain
> controller when I recreate my Samba AD DC domain environment.
>
I suppose this has to be asked:
Why do you need to be able to recreate your AD DC domain environment ?
Rowland
More information about the samba
mailing list