Olivier MARTIN
2023-May-21 21:29 UTC
[Samba] Usage of '--domain-guid' parameter of 'samba-tool domain provision'
As I said in my last email, my intention was to not have to regenerate the domain controller certificate as explained here: https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script when I re-provisioned the same domain (in my test environment). The domain controller certificate requires its GUID. But I mixed "Domain GUID" and "Domain Controller GUID". And I was hoping by passing a known GUID to "samba-tool domain provision", I will be able to re-use my domain controller certificate without having to regenerate a new one everytime I re-provision my domain in my test environment. But what is passed to "samba-tool domain provision" is the "domain GUID" - not the "domain controller GUID". On 19.05.23 12:20, Rowland Penny via samba wrote:> > > On 19/05/2023 09:50, Olivier MARTIN via samba wrote: >> Thanks Andrew for your reply. >> >> Actually, I started to dive into the code just before your answer to >> try to analyze and potentially fix the issue. But after stepping back >> I actually realized I was looking at the wrong LDAP entry! >> >> My initial intention was to set the domain controller's GUID to a >> known GUID to avoid to regenerate certificates when I recreate my >> Samba AD DC environment - such as the certificate generation is >> explained here: >> https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script >> >> But I have actually realized I mixed "Domain GUID" and "Domain >> Controller GUID"! When I looked at the domain GUID in the LDAP >> directory, I confirm I can find the one specified in the command line >> "samba-tool domain provision" :-) >> >> sudo ldbsearch? --basedn="DC=samdom,DC=demo,DC=com" "objectclass=domain" >> >> dn: DC=samdom,DC=demo,DC=com >> objectClass: top >> objectClass: domain >> objectClass: domainDNS >> instanceType: 5 >> whenCreated: 20230512211402.0Z >> uSNCreated: 10 >> name: samdom >> objectGUID: a5291573-906f-467d-9d63-451204bb9abb >> objectSid: S-1-5-21-1683713074-1702463723-3046006099 >> objectCategory: >> CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samdom,DC=demo,DC=com >> dc: samdom >> (...) >> >> >> So, there is no bug - only misunderstanding from my side :-) >> >> So I guess, I have no choice to regenerate the certificate of my >> domain controller when I recreate my Samba AD DC domain environment. >> > > I suppose this has to be asked: > Why do you need to be able to recreate your AD DC domain environment ? > > Rowland > >
Rowland Penny
2023-May-22 08:39 UTC
[Samba] Usage of '--domain-guid' parameter of 'samba-tool domain provision'
On 21/05/2023 22:29, Olivier MARTIN via samba wrote:> As I said in my last email, my intention was to not have to regenerate > the domain controller certificate as explained here: > https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Get_the_Domain_Controller.27s_GUID_with_script when I re-provisioned the same domain (in my test environment). The domain controller certificate requires its GUID. > > But I mixed "Domain GUID" and "Domain Controller GUID". And I was hoping > by passing a known GUID to "samba-tool domain provision", I will be able > to re-use my domain controller certificate without having to regenerate > a new one everytime I re-provision my domain in my test environment. But > what is passed to "samba-tool domain provision" is the "domain GUID" - > not the "domain controller GUID". >I understood that, what I didn't understand and what I actually asked was : Why do you need to recreate your AD DC domain environment ? Rowland
Apparently Analagous Threads
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'
- Usage of '--domain-guid' parameter of 'samba-tool domain provision'