[Samba] Usage of '--domain-guid' parameter of 'samba-tool domain provision'
Olivier MARTIN
olivier at labapart.com
Sun May 21 21:29:49 UTC 2023
As I said in my last email, my intention was to not have to regenerate
the domain controller certificate as explained here:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script
when I re-provisioned the same domain (in my test environment). The
domain controller certificate requires its GUID.
But I mixed "Domain GUID" and "Domain Controller GUID". And I was hoping
by passing a known GUID to "samba-tool domain provision", I will be able
to re-use my domain controller certificate without having to regenerate
a new one everytime I re-provision my domain in my test environment. But
what is passed to "samba-tool domain provision" is the "domain GUID" -
not the "domain controller GUID".
On 19.05.23 12:20, Rowland Penny via samba wrote:
>
>
> On 19/05/2023 09:50, Olivier MARTIN via samba wrote:
>> Thanks Andrew for your reply.
>>
>> Actually, I started to dive into the code just before your answer to
>> try to analyze and potentially fix the issue. But after stepping back
>> I actually realized I was looking at the wrong LDAP entry!
>>
>> My initial intention was to set the domain controller's GUID to a
>> known GUID to avoid to regenerate certificates when I recreate my
>> Samba AD DC environment - such as the certificate generation is
>> explained here:
>> https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script
>>
>> But I have actually realized I mixed "Domain GUID" and "Domain
>> Controller GUID"! When I looked at the domain GUID in the LDAP
>> directory, I confirm I can find the one specified in the command line
>> "samba-tool domain provision" :-)
>>
>> sudo ldbsearch --basedn="DC=samdom,DC=demo,DC=com" "objectclass=domain"
>>
>> dn: DC=samdom,DC=demo,DC=com
>> objectClass: top
>> objectClass: domain
>> objectClass: domainDNS
>> instanceType: 5
>> whenCreated: 20230512211402.0Z
>> uSNCreated: 10
>> name: samdom
>> objectGUID: a5291573-906f-467d-9d63-451204bb9abb
>> objectSid: S-1-5-21-1683713074-1702463723-3046006099
>> objectCategory:
>> CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com
>> dc: samdom
>> (...)
>>
>>
>> So, there is no bug - only misunderstanding from my side :-)
>>
>> So I guess, I have no choice to regenerate the certificate of my
>> domain controller when I recreate my Samba AD DC domain environment.
>>
>
> I suppose this has to be asked:
> Why do you need to be able to recreate your AD DC domain environment ?
>
> Rowland
>
>
More information about the samba
mailing list