samba - May 2023 - Usage of '--domain-guid' parameter of 'samba-tool domain provision'

On 19/05/2023 09:50, Olivier MARTIN via samba wrote:
> Thanks Andrew for your reply.
> 
> Actually, I started to dive into the code just before your answer to try 
> to analyze and potentially fix the issue. But after stepping back I 
> actually realized I was looking at the wrong LDAP entry!
> 
> My initial intention was to set the domain controller's GUID to a known
> GUID to avoid to regenerate certificates when I recreate my Samba AD DC 
> environment - such as the certificate generation is explained here: 
>
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script
> 
> But I have actually realized I mixed "Domain GUID" and
"Domain
> Controller GUID"! When I looked at the domain GUID in the LDAP 
> directory, I confirm I can find the one specified in the command line 
> "samba-tool domain provision" :-)
> 
> sudo ldbsearch? --basedn="DC=samdom,DC=demo,DC=com"
"objectclass=domain"
> 
> dn: DC=samdom,DC=demo,DC=com
> objectClass: top
> objectClass: domain
> objectClass: domainDNS
> instanceType: 5
> whenCreated: 20230512211402.0Z
> uSNCreated: 10
> name: samdom
> objectGUID: a5291573-906f-467d-9d63-451204bb9abb
> objectSid: S-1-5-21-1683713074-1702463723-3046006099
> objectCategory: 
> CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com
> dc: samdom
> (...)
> 
> 
> So, there is no bug - only misunderstanding from my side :-)
> 
> So I guess, I have no choice to regenerate the certificate of my domain 
> controller when I recreate my Samba AD DC domain environment.
> 
I suppose this has to be asked:
Why do you need to be able to recreate your AD DC domain environment ?

Rowland

As I said in my last email, my intention was to not have to regenerate 
the domain controller certificate as explained here: 
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script
when I re-provisioned the same domain (in my test environment). The 
domain controller certificate requires its GUID.

But I mixed "Domain GUID" and "Domain Controller GUID". And
I was hoping
by passing a known GUID to "samba-tool domain provision", I will be
able
to re-use my domain controller certificate without having to regenerate 
a new one everytime I re-provision my domain in my test environment. But 
what is passed to "samba-tool domain provision" is the "domain
GUID" -
not the "domain controller GUID".


On 19.05.23 12:20, Rowland Penny via samba wrote:
>
>
> On 19/05/2023 09:50, Olivier MARTIN via samba wrote:
>> Thanks Andrew for your reply.
>>
>> Actually, I started to dive into the code just before your answer to 
>> try to analyze and potentially fix the issue. But after stepping back 
>> I actually realized I was looking at the wrong LDAP entry!
>>
>> My initial intention was to set the domain controller's GUID to a 
>> known GUID to avoid to regenerate certificates when I recreate my 
>> Samba AD DC environment - such as the certificate generation is 
>> explained here: 
>>
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script
>>
>> But I have actually realized I mixed "Domain GUID" and
"Domain
>> Controller GUID"! When I looked at the domain GUID in the LDAP 
>> directory, I confirm I can find the one specified in the command line 
>> "samba-tool domain provision" :-)
>>
>> sudo ldbsearch? --basedn="DC=samdom,DC=demo,DC=com"
"objectclass=domain"
>>
>> dn: DC=samdom,DC=demo,DC=com
>> objectClass: top
>> objectClass: domain
>> objectClass: domainDNS
>> instanceType: 5
>> whenCreated: 20230512211402.0Z
>> uSNCreated: 10
>> name: samdom
>> objectGUID: a5291573-906f-467d-9d63-451204bb9abb
>> objectSid: S-1-5-21-1683713074-1702463723-3046006099
>> objectCategory: 
>> CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com
>> dc: samdom
>> (...)
>>
>>
>> So, there is no bug - only misunderstanding from my side :-)
>>
>> So I guess, I have no choice to regenerate the certificate of my 
>> domain controller when I recreate my Samba AD DC domain environment.
>>
>
> I suppose this has to be asked:
> Why do you need to be able to recreate your AD DC domain environment ?
>
> Rowland
>
>