samba - May 2023 - Usage of '--domain-guid' parameter of 'samba-tool domain provision'

On Thu, 2023-05-11 at 23:50 +0200, Olivier MARTIN via samba
wrote:
> Hello,
> 
> I was hoping to reprovision the same domain by specifying the domain 
> GUID in the command line tool 'samba-tool domain provision' but I
am
> not 
> sure if I missed something or if there is a bug but the specified
> domain 
> GUID is not the one which is created for my domain.
> Specifying the domain SID seems to work as I would expect.
> 
> I tested it with Samba shipped by Debian 11 (samba2 
> 4.13.13+dfsg-1~deb11u5) and the latest release 'samba-4.18.2'.
> 
> 
> *For Samba **4.13.13 packaged by Debian 11:*
> 
> 1. I provision my domain specifying the domain name, its GUID and
> SID:
> 
> sudo samba-tool domain provision --use-rfc2307 --
> realm=SAMDOM.DEMO.COM --domain=samdom --server-role=dc --dns-
> backend=SAMBA_INTERNAL --adminpass=D3m0H3l10 --domain-guid=a5291573-
> 906f-467d-9d63-451204bb9abb --domain-sid=S-1-5-21-1683713074-
> 1702463723-3046006099

> Is it a bug or have I misunderstood the purpose of '--domain-guid'?
The code is similar for --domain-sid and --domain-guid and the
intention is as you expect, to set the domain guid, being the
objectGUID of the domain DN, but I note that the only test we have is
to show that we don't abort or fault with --domain-guid specified, we
don't check if it worked.

More tests are welcome if you would like to contribute them. 

Finally, if you let me know why you want to rebuild your domain,
I might be able to help you with that.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst.Net Limited

Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source
Solutions

Thanks Andrew for your reply.

Actually, I started to dive into the code just before your answer to try 
to analyze and potentially fix the issue. But after stepping back I 
actually realized I was looking at the wrong LDAP entry!

My initial intention was to set the domain controller's GUID to a known 
GUID to avoid to regenerate certificates when I recreate my Samba AD DC 
environment - such as the certificate generation is explained here: 
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script

But I have actually realized I mixed "Domain GUID" and "Domain 
Controller GUID"! When I looked at the domain GUID in the LDAP 
directory, I confirm I can find the one specified in the command line 
"samba-tool domain provision" :-)

sudo ldbsearch? --basedn="DC=samdom,DC=demo,DC=com"
"objectclass=domain"

dn: DC=samdom,DC=demo,DC=com
objectClass: top
objectClass: domain
objectClass: domainDNS
instanceType: 5
whenCreated: 20230512211402.0Z
uSNCreated: 10
name: samdom
objectGUID: a5291573-906f-467d-9d63-451204bb9abb
objectSid: S-1-5-21-1683713074-1702463723-3046006099
objectCategory: 
CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com
dc: samdom
(...)


So, there is no bug - only misunderstanding from my side :-)

So I guess, I have no choice to regenerate the certificate of my domain 
controller when I recreate my Samba AD DC domain environment.


On 16.05.23 07:29, Andrew Bartlett wrote:
> On Thu, 2023-05-11 at 23:50 +0200, Olivier MARTIN via samba wrote:
>> Hello,
>>
>> I was hoping to reprovision the same domain by specifying the domain
>> GUID in the command line tool 'samba-tool domain provision' but
I am
>> not
>> sure if I missed something or if there is a bug but the specified
>> domain
>> GUID is not the one which is created for my domain.
>> Specifying the domain SID seems to work as I would expect.
>>
>> I tested it with Samba shipped by Debian 11 (samba2
>> 4.13.13+dfsg-1~deb11u5) and the latest release 'samba-4.18.2'.
>>
>>
>> *For Samba **4.13.13 packaged by Debian 11:*
>>
>> 1. I provision my domain specifying the domain name, its GUID and
>> SID:
>>
>> sudo samba-tool domain provision --use-rfc2307 --
>> realm=SAMDOM.DEMO.COM --domain=samdom --server-role=dc --dns-
>> backend=SAMBA_INTERNAL --adminpass=D3m0H3l10 --domain-guid=a5291573-
>> 906f-467d-9d63-451204bb9abb --domain-sid=S-1-5-21-1683713074-
>> 1702463723-3046006099
>
>
>> Is it a bug or have I misunderstood the purpose of
'--domain-guid'?
> The code is similar for --domain-sid and --domain-guid and the
> intention is as you expect, to set the domain guid, being the
> objectGUID of the domain DN, but I note that the only test we have is
> to show that we don't abort or fault with --domain-guid specified, we
> don't check if it worked.
>
> More tests are welcome if you would like to contribute them.
>
> Finally, if you let me know why you want to rebuild your domain,
> I might be able to help you with that.
>
> Sorry,
>
> Andrew Bartlett
>