Ćukasz Michalski
2022-Dec-07 15:21 UTC
[Samba] promote existing domain member to "backup" domain controller
Hi, I have a domain with single DC "site-ad" (samba 4.16)? and one domain member "backup" (samba 4.15). "backup" currently act as files and vm backup server. This is my config on "site-ad": [global] ?? ?netbios name = SITE-AD ?? ?realm = SITE.SAMDOM.COM ?? ?server role = active directory domain controller ?? ?workgroup = SAMDOM ?? ?idmap_ldb:use rfc2307 = yes ??? dns forwarder = 10.21.0.1 ?? ?bind interfaces only = yes ?? ?interfaces = lo ifsrv ??? tls keyfile? = /etc/easy-rsa/pki/private/site-ad.samdom.com.key ?? ?tls certfile = /etc/easy-rsa/pki/issued/site-ad.samdom.com.crt ?? ?tls cafile?? = /etc/easy-rsa/pki/ca.crt [sysvol] ?? ?path = /var/lib/samba/sysvol ?? ?read only = No [netlogon] ?? ?path = /var/lib/samba/sysvol/site.samdom.com/scripts ?? ?read only = No And current config on "backup": [global] security = ADS workgroup = SAMDOM realm = SITE.SAMDOM.COM log file = /var/log/samba/%m.log log level = 1 winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab username map = /etc/samba/user.map # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the SAMDOM domain idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-999999 idmap config SAMDOM:unix_nss_info = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Template settings for login shell and home directory template shell = /bin/bash template homedir = /home/%U Currently on "backup" smbd and winbind services are runnning. I would like to promote domain member "backup" to domain controller, I am using internal dns server on "site-ad" and I want to use internal one on "backup" too. I do not want AD users to login to "backup", it should act only as a backup DC. Just to be sure, I have to do following steps on "backup": - Stop and disable smb, winbind services - Follow https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory, but instead of: samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator" the first step should be: samba-tool domain dcpromo DC --option='idmap_ldb:use rfc2307 = yes' - Remove all? lines below "realm" from smb.conf configuration, and disable smb, winbind service - Enable and start samba service and check replication and dns. I did not found a similar tutorial, so I would be very grateful any hints or steps that are wrong or missing. Thanks, ?ukasz