[Samba] Usage of '--domain-guid' parameter of 'samba-tool domain provision'

Rowland Penny rpenny at samba.org
Fri May 19 10:20:26 UTC 2023

On 19/05/2023 09:50, Olivier MARTIN via samba wrote:
> Thanks Andrew for your reply.
> Actually, I started to dive into the code just before your answer to try 
> to analyze and potentially fix the issue. But after stepping back I 
> actually realized I was looking at the wrong LDAP entry!
> My initial intention was to set the domain controller's GUID to a known 
> GUID to avoid to regenerate certificates when I recreate my Samba AD DC 
> environment - such as the certificate generation is explained here: 
> https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script
> But I have actually realized I mixed "Domain GUID" and "Domain 
> Controller GUID"! When I looked at the domain GUID in the LDAP 
> directory, I confirm I can find the one specified in the command line 
> "samba-tool domain provision" :-)
> sudo ldbsearch  --basedn="DC=samdom,DC=demo,DC=com" "objectclass=domain"
> dn: DC=samdom,DC=demo,DC=com
> objectClass: top
> objectClass: domain
> objectClass: domainDNS
> instanceType: 5
> whenCreated: 20230512211402.0Z
> uSNCreated: 10
> name: samdom
> objectGUID: a5291573-906f-467d-9d63-451204bb9abb
> objectSid: S-1-5-21-1683713074-1702463723-3046006099
> objectCategory: 
> CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com
> dc: samdom
> (...)
> So, there is no bug - only misunderstanding from my side :-)
> So I guess, I have no choice to regenerate the certificate of my domain 
> controller when I recreate my Samba AD DC domain environment.

I suppose this has to be asked:
Why do you need to be able to recreate your AD DC domain environment ?


More information about the samba mailing list