samba - May 2023 - Usage of '--domain-guid' parameter of 'samba-tool domain provision'

Thanks Andrew for your reply.

Actually, I started to dive into the code just before your answer to try 
to analyze and potentially fix the issue. But after stepping back I 
actually realized I was looking at the wrong LDAP entry!

My initial intention was to set the domain controller's GUID to a known 
GUID to avoid to regenerate certificates when I recreate my Samba AD DC 
environment - such as the certificate generation is explained here: 
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script

But I have actually realized I mixed "Domain GUID" and "Domain 
Controller GUID"! When I looked at the domain GUID in the LDAP 
directory, I confirm I can find the one specified in the command line 
"samba-tool domain provision" :-)

sudo ldbsearch? --basedn="DC=samdom,DC=demo,DC=com"
"objectclass=domain"

dn: DC=samdom,DC=demo,DC=com
objectClass: top
objectClass: domain
objectClass: domainDNS
instanceType: 5
whenCreated: 20230512211402.0Z
uSNCreated: 10
name: samdom
objectGUID: a5291573-906f-467d-9d63-451204bb9abb
objectSid: S-1-5-21-1683713074-1702463723-3046006099
objectCategory: 
CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com
dc: samdom
(...)


So, there is no bug - only misunderstanding from my side :-)

So I guess, I have no choice to regenerate the certificate of my domain 
controller when I recreate my Samba AD DC domain environment.


On 16.05.23 07:29, Andrew Bartlett wrote:
> On Thu, 2023-05-11 at 23:50 +0200, Olivier MARTIN via samba wrote:
>> Hello,
>>
>> I was hoping to reprovision the same domain by specifying the domain
>> GUID in the command line tool 'samba-tool domain provision' but
I am
>> not
>> sure if I missed something or if there is a bug but the specified
>> domain
>> GUID is not the one which is created for my domain.
>> Specifying the domain SID seems to work as I would expect.
>>
>> I tested it with Samba shipped by Debian 11 (samba2
>> 4.13.13+dfsg-1~deb11u5) and the latest release 'samba-4.18.2'.
>>
>>
>> *For Samba **4.13.13 packaged by Debian 11:*
>>
>> 1. I provision my domain specifying the domain name, its GUID and
>> SID:
>>
>> sudo samba-tool domain provision --use-rfc2307 --
>> realm=SAMDOM.DEMO.COM --domain=samdom --server-role=dc --dns-
>> backend=SAMBA_INTERNAL --adminpass=D3m0H3l10 --domain-guid=a5291573-
>> 906f-467d-9d63-451204bb9abb --domain-sid=S-1-5-21-1683713074-
>> 1702463723-3046006099
>
>
>> Is it a bug or have I misunderstood the purpose of
'--domain-guid'?
> The code is similar for --domain-sid and --domain-guid and the
> intention is as you expect, to set the domain guid, being the
> objectGUID of the domain DN, but I note that the only test we have is
> to show that we don't abort or fault with --domain-guid specified, we
> don't check if it worked.
>
> More tests are welcome if you would like to contribute them.
>
> Finally, if you let me know why you want to rebuild your domain,
> I might be able to help you with that.
>
> Sorry,
>
> Andrew Bartlett
>

On 19/05/2023 09:50, Olivier MARTIN via samba wrote:
> Thanks Andrew for your reply.
> 
> Actually, I started to dive into the code just before your answer to try 
> to analyze and potentially fix the issue. But after stepping back I 
> actually realized I was looking at the wrong LDAP entry!
> 
> My initial intention was to set the domain controller's GUID to a known
> GUID to avoid to regenerate certificates when I recreate my Samba AD DC 
> environment - such as the certificate generation is explained here: 
>
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script
> 
> But I have actually realized I mixed "Domain GUID" and
"Domain
> Controller GUID"! When I looked at the domain GUID in the LDAP 
> directory, I confirm I can find the one specified in the command line 
> "samba-tool domain provision" :-)
> 
> sudo ldbsearch? --basedn="DC=samdom,DC=demo,DC=com"
"objectclass=domain"
> 
> dn: DC=samdom,DC=demo,DC=com
> objectClass: top
> objectClass: domain
> objectClass: domainDNS
> instanceType: 5
> whenCreated: 20230512211402.0Z
> uSNCreated: 10
> name: samdom
> objectGUID: a5291573-906f-467d-9d63-451204bb9abb
> objectSid: S-1-5-21-1683713074-1702463723-3046006099
> objectCategory: 
> CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com
> dc: samdom
> (...)
> 
> 
> So, there is no bug - only misunderstanding from my side :-)
> 
> So I guess, I have no choice to regenerate the certificate of my domain 
> controller when I recreate my Samba AD DC domain environment.
> 
I suppose this has to be asked:
Why do you need to be able to recreate your AD DC domain environment ?

Rowland