Rowland Penny
2023-May-19 10:20 UTC
[Samba] Usage of '--domain-guid' parameter of 'samba-tool domain provision'
On 19/05/2023 09:50, Olivier MARTIN via samba wrote:> Thanks Andrew for your reply. > > Actually, I started to dive into the code just before your answer to try > to analyze and potentially fix the issue. But after stepping back I > actually realized I was looking at the wrong LDAP entry! > > My initial intention was to set the domain controller's GUID to a known > GUID to avoid to regenerate certificates when I recreate my Samba AD DC > environment - such as the certificate generation is explained here: > https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script > > But I have actually realized I mixed "Domain GUID" and "Domain > Controller GUID"! When I looked at the domain GUID in the LDAP > directory, I confirm I can find the one specified in the command line > "samba-tool domain provision" :-) > > sudo ldbsearch? --basedn="DC=samdom,DC=demo,DC=com" "objectclass=domain" > > dn: DC=samdom,DC=demo,DC=com > objectClass: top > objectClass: domain > objectClass: domainDNS > instanceType: 5 > whenCreated: 20230512211402.0Z > uSNCreated: 10 > name: samdom > objectGUID: a5291573-906f-467d-9d63-451204bb9abb > objectSid: S-1-5-21-1683713074-1702463723-3046006099 > objectCategory: > CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com > dc: samdom > (...) > > > So, there is no bug - only misunderstanding from my side :-) > > So I guess, I have no choice to regenerate the certificate of my domain > controller when I recreate my Samba AD DC domain environment. >I suppose this has to be asked: Why do you need to be able to recreate your AD DC domain environment ? Rowland
Olivier MARTIN
2023-May-21 21:29 UTC
[Samba] Usage of '--domain-guid' parameter of 'samba-tool domain provision'
As I said in my last email, my intention was to not have to regenerate the domain controller certificate as explained here: https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script when I re-provisioned the same domain (in my test environment). The domain controller certificate requires its GUID. But I mixed "Domain GUID" and "Domain Controller GUID". And I was hoping by passing a known GUID to "samba-tool domain provision", I will be able to re-use my domain controller certificate without having to regenerate a new one everytime I re-provision my domain in my test environment. But what is passed to "samba-tool domain provision" is the "domain GUID" - not the "domain controller GUID". On 19.05.23 12:20, Rowland Penny via samba wrote:> > > On 19/05/2023 09:50, Olivier MARTIN via samba wrote: >> Thanks Andrew for your reply. >> >> Actually, I started to dive into the code just before your answer to >> try to analyze and potentially fix the issue. But after stepping back >> I actually realized I was looking at the wrong LDAP entry! >> >> My initial intention was to set the domain controller's GUID to a >> known GUID to avoid to regenerate certificates when I recreate my >> Samba AD DC environment - such as the certificate generation is >> explained here: >> https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script >> >> But I have actually realized I mixed "Domain GUID" and "Domain >> Controller GUID"! When I looked at the domain GUID in the LDAP >> directory, I confirm I can find the one specified in the command line >> "samba-tool domain provision" :-) >> >> sudo ldbsearch? --basedn="DC=samdom,DC=demo,DC=com" "objectclass=domain" >> >> dn: DC=samdom,DC=demo,DC=com >> objectClass: top >> objectClass: domain >> objectClass: domainDNS >> instanceType: 5 >> whenCreated: 20230512211402.0Z >> uSNCreated: 10 >> name: samdom >> objectGUID: a5291573-906f-467d-9d63-451204bb9abb >> objectSid: S-1-5-21-1683713074-1702463723-3046006099 >> objectCategory: >> CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com >> dc: samdom >> (...) >> >> >> So, there is no bug - only misunderstanding from my side :-) >> >> So I guess, I have no choice to regenerate the certificate of my >> domain controller when I recreate my Samba AD DC domain environment. >> > > I suppose this has to be asked: > Why do you need to be able to recreate your AD DC domain environment ? > > Rowland > >
Reasonably Related Threads
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'