On Sun Jul 16 04:21:55 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:> On 16/07/2023 07:10, Mark Foley via samba wrote: > > I am planning up upgrading my AD/DC from Samba version 4.8.2 to the most recent > > version in my Slackware distro which is currently 4.15.13. > > > > In previous threads in this maillist I was advised that the best route to > > achieve this was to add a 2nd domain controller, then promote that one and > > demote the original. I'm in the process of setting up a 2nd DC to that end.> > > > 2) The next thing the wiki doc says to do is to provision the DC. Will doing so > > on this 2nd DC interfer with the current/primary DC? > > I think you may be following the wrong instructions, the page you linked > to is for provisioning the first DC in a new domain. > Have you read this wiki page: > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > > It is only possible to provision one DC in a domain (you actually create > the domain and then automatically join the first DC during the process), > after that you join extra DCs to the domain.Thanks, I'm now referencing your suggested wiki. Question 1: That wiki says: Configuring the /etc/resolv.conf Set the DNS server IP and AD DNS domain in your /etc/resolv.conf. For example: nameserver 10.99.0.1 search samdom.example.com Is the nameserver as shown supposed to be the primary/current AD/DC? Currently, the AD/DC is 192.168.0.2 and in that host's resolv.conf the nameserver IP is set to itself. In this joined DC, should the nameserver be the primary/current AD/DC or itself (192.168.0.7)? Question 2: After setting krb5.conf per the wiki, the test command do not work: # kinit Administrator Password for Administrator at hprs.local: kinit: KDC reply did not match expectations while getting initial credentials # klist klist: No credentials cache found (filename: /tmp/krb5cc_0) Does something have to be running first? Note that samba is installed, but not running. (I'm leaving the following question in this thread for the future as the join of a DC to and existing AD domain does not mention it, but I still have questions.)> > My current DC was provisioned with --dns-backend=BIND9_FLATFILE. The wiki doc > > says "do NOT use BIND9_FLATFILE, it is not supported and will be removed in a > > future Samba version." Given that this machine will be the AD/DC for a dozen > > Windows 10/11 workstations, What would be the recommended alternative > > dns-backend? > > You have a choice of two: > > You can use the Samba internal dns server, which will require little or > no extra setup, see here: > > https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End > > Or you can use Bind9, which requires setting up correctly, see here: > > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End > > I cannot recommend using Bind9 with flatfiles, it wasn't ever really > supported (it was only meant for early versions of Bind9 that didn't > have bind_dlz, these are now EOL) and really should have been removed by > now. Using Bind9 with flatfiles was formaly deprecated when 4.11.0 was > released in September 2019 and the 'rndc command' smb.conf parameter > that it relies on was removed when 4.12.0 was released in March 2020. > > Rowland
On 23/07/2023 20:40, Mark Foley via samba wrote:> On Sun Jul 16 04:21:55 2023 Rowland Penny via samba <samba at lists.samba.org> wrote: > >> On 16/07/2023 07:10, Mark Foley via samba wrote: >>> I am planning up upgrading my AD/DC from Samba version 4.8.2 to the most recent >>> version in my Slackware distro which is currently 4.15.13. >>> >>> In previous threads in this maillist I was advised that the best route to >>> achieve this was to add a 2nd domain controller, then promote that one and >>> demote the original. I'm in the process of setting up a 2nd DC to that end. > >>> >>> 2) The next thing the wiki doc says to do is to provision the DC. Will doing so >>> on this 2nd DC interfer with the current/primary DC? >> >> I think you may be following the wrong instructions, the page you linked >> to is for provisioning the first DC in a new domain. >> Have you read this wiki page: >> >> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory >> >> It is only possible to provision one DC in a domain (you actually create >> the domain and then automatically join the first DC during the process), >> after that you join extra DCs to the domain. > > Thanks, I'm now referencing your suggested wiki. > > Question 1: That wiki says: > > Configuring the /etc/resolv.conf > > Set the DNS server IP and AD DNS domain in your /etc/resolv.conf. For example: > > nameserver 10.99.0.1 > search samdom.example.com > > Is the nameserver as shown supposed to be the primary/current AD/DC?It is supposed to be another AD DC (there is no such thing as a 'primary' DC, they are all equal). I have added a note to the wiki page. < Currently,> the AD/DC is 192.168.0.2 and in that host's resolv.conf the nameserver IP is set > to itself. In this joined DC, should the nameserver be the primary/current AD/DC > or itself (192.168.0.7)?Initially the nameserver needs to be another AD DC, once the join succeeds you change it to the new DCs ipaddress (aka its own ipaddress)> > Question 2: After setting krb5.conf per the wiki, the test command do not work: > > # kinit Administrator > Password for Administrator at hprs.local:I really hope that '.local' is placeholder for the real TLD, '.local' is reserved for Bonjour and Avahi and, as such, shouldn't be used.> kinit: KDC reply did not match expectations while getting initial credentialsProvided that kerberos and dns are setup correctly, that should work.> > # klist > klist: No credentials cache found (filename: /tmp/krb5cc_0) > > Does something have to be running first? Note that samba is installed, but not > running.Your DC needs to be able to contact a DC, preferably itself, but if the computer is pointing at another DC and the required packages are installed, then kinit should work. Rowland