[Samba] Usage of '--domain-guid' parameter of 'samba-tool domain provision'

Olivier MARTIN olivier at labapart.com
Sun May 21 21:29:49 UTC 2023

As I said in my last email, my intention was to not have to regenerate 
the domain controller certificate as explained here: 
when I re-provisioned the same domain (in my test environment). The 
domain controller certificate requires its GUID.

But I mixed "Domain GUID" and "Domain Controller GUID". And I was hoping 
by passing a known GUID to "samba-tool domain provision", I will be able 
to re-use my domain controller certificate without having to regenerate 
a new one everytime I re-provision my domain in my test environment. But 
what is passed to "samba-tool domain provision" is the "domain GUID" - 
not the "domain controller GUID".

On 19.05.23 12:20, Rowland Penny via samba wrote:
> On 19/05/2023 09:50, Olivier MARTIN via samba wrote:
>> Thanks Andrew for your reply.
>> Actually, I started to dive into the code just before your answer to 
>> try to analyze and potentially fix the issue. But after stepping back 
>> I actually realized I was looking at the wrong LDAP entry!
>> My initial intention was to set the domain controller's GUID to a 
>> known GUID to avoid to regenerate certificates when I recreate my 
>> Samba AD DC environment - such as the certificate generation is 
>> explained here: 
>> https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script
>> But I have actually realized I mixed "Domain GUID" and "Domain 
>> Controller GUID"! When I looked at the domain GUID in the LDAP 
>> directory, I confirm I can find the one specified in the command line 
>> "samba-tool domain provision" :-)
>> sudo ldbsearch  --basedn="DC=samdom,DC=demo,DC=com" "objectclass=domain"
>> dn: DC=samdom,DC=demo,DC=com
>> objectClass: top
>> objectClass: domain
>> objectClass: domainDNS
>> instanceType: 5
>> whenCreated: 20230512211402.0Z
>> uSNCreated: 10
>> name: samdom
>> objectGUID: a5291573-906f-467d-9d63-451204bb9abb
>> objectSid: S-1-5-21-1683713074-1702463723-3046006099
>> objectCategory: 
>> CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com
>> dc: samdom
>> (...)
>> So, there is no bug - only misunderstanding from my side :-)
>> So I guess, I have no choice to regenerate the certificate of my 
>> domain controller when I recreate my Samba AD DC domain environment.
> I suppose this has to be asked:
> Why do you need to be able to recreate your AD DC domain environment ?
> Rowland

More information about the samba mailing list