Andrew Bartlett
2023-May-16 05:29 UTC
[Samba] Usage of '--domain-guid' parameter of 'samba-tool domain provision'
On Thu, 2023-05-11 at 23:50 +0200, Olivier MARTIN via samba wrote:> Hello, > > I was hoping to reprovision the same domain by specifying the domain > GUID in the command line tool 'samba-tool domain provision' but I am > not > sure if I missed something or if there is a bug but the specified > domain > GUID is not the one which is created for my domain. > Specifying the domain SID seems to work as I would expect. > > I tested it with Samba shipped by Debian 11 (samba2 > 4.13.13+dfsg-1~deb11u5) and the latest release 'samba-4.18.2'. > > > *For Samba **4.13.13 packaged by Debian 11:* > > 1. I provision my domain specifying the domain name, its GUID and > SID: > > sudo samba-tool domain provision --use-rfc2307 -- > realm=SAMDOM.DEMO.COM --domain=samdom --server-role=dc --dns- > backend=SAMBA_INTERNAL --adminpass=D3m0H3l10 --domain-guid=a5291573- > 906f-467d-9d63-451204bb9abb --domain-sid=S-1-5-21-1683713074- > 1702463723-3046006099> Is it a bug or have I misunderstood the purpose of '--domain-guid'?The code is similar for --domain-sid and --domain-guid and the intention is as you expect, to set the domain guid, being the objectGUID of the domain DN, but I note that the only test we have is to show that we don't abort or fault with --domain-guid specified, we don't check if it worked. More tests are welcome if you would like to contribute them. Finally, if you let me know why you want to rebuild your domain, I might be able to help you with that. Sorry, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst.Net Limited Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source Solutions
Olivier MARTIN
2023-May-19 08:50 UTC
[Samba] Usage of '--domain-guid' parameter of 'samba-tool domain provision'
Thanks Andrew for your reply. Actually, I started to dive into the code just before your answer to try to analyze and potentially fix the issue. But after stepping back I actually realized I was looking at the wrong LDAP entry! My initial intention was to set the domain controller's GUID to a known GUID to avoid to regenerate certificates when I recreate my Samba AD DC environment - such as the certificate generation is explained here: https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script But I have actually realized I mixed "Domain GUID" and "Domain Controller GUID"! When I looked at the domain GUID in the LDAP directory, I confirm I can find the one specified in the command line "samba-tool domain provision" :-) sudo ldbsearch? --basedn="DC=samdom,DC=demo,DC=com" "objectclass=domain" dn: DC=samdom,DC=demo,DC=com objectClass: top objectClass: domain objectClass: domainDNS instanceType: 5 whenCreated: 20230512211402.0Z uSNCreated: 10 name: samdom objectGUID: a5291573-906f-467d-9d63-451204bb9abb objectSid: S-1-5-21-1683713074-1702463723-3046006099 objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com dc: samdom (...) So, there is no bug - only misunderstanding from my side :-) So I guess, I have no choice to regenerate the certificate of my domain controller when I recreate my Samba AD DC domain environment. On 16.05.23 07:29, Andrew Bartlett wrote:> On Thu, 2023-05-11 at 23:50 +0200, Olivier MARTIN via samba wrote: >> Hello, >> >> I was hoping to reprovision the same domain by specifying the domain >> GUID in the command line tool 'samba-tool domain provision' but I am >> not >> sure if I missed something or if there is a bug but the specified >> domain >> GUID is not the one which is created for my domain. >> Specifying the domain SID seems to work as I would expect. >> >> I tested it with Samba shipped by Debian 11 (samba2 >> 4.13.13+dfsg-1~deb11u5) and the latest release 'samba-4.18.2'. >> >> >> *For Samba **4.13.13 packaged by Debian 11:* >> >> 1. I provision my domain specifying the domain name, its GUID and >> SID: >> >> sudo samba-tool domain provision --use-rfc2307 -- >> realm=SAMDOM.DEMO.COM --domain=samdom --server-role=dc --dns- >> backend=SAMBA_INTERNAL --adminpass=D3m0H3l10 --domain-guid=a5291573- >> 906f-467d-9d63-451204bb9abb --domain-sid=S-1-5-21-1683713074- >> 1702463723-3046006099 > > >> Is it a bug or have I misunderstood the purpose of '--domain-guid'? > The code is similar for --domain-sid and --domain-guid and the > intention is as you expect, to set the domain guid, being the > objectGUID of the domain DN, but I note that the only test we have is > to show that we don't abort or fault with --domain-guid specified, we > don't check if it worked. > > More tests are welcome if you would like to contribute them. > > Finally, if you let me know why you want to rebuild your domain, > I might be able to help you with that. > > Sorry, > > Andrew Bartlett >
Reasonably Related Threads
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'