On 24/07/2023 03:16, Mark Foley via samba wrote:> More information ...
>
> Just to see what would happen, I started samba and joined this future DC to
the
> domain. I do have another Linux Samba domain member on this domain, so I
just
> copied its smb.conf, started samba, and joined. Interestingly, the joining
> process re-created my smb.conf, mostly with the same settings, but
eliminating
> comments and spaces, removing some settings like 'domain master',
'printing',
> and some others, and added 'server role' and possibly others. Then,
the whole
> smb.conf was sorted alphabetically giving:
>
> # Global parameters
> [global]
> client max protocol = SMB3
> client min protocol = SMB2
> disable spoolss = Yes
> max log size = 10000
> netbios name = DC1
> printcap name = /dev/null
> realm = HPRS.LOCAL
> security = ADS
> server role = member server
> server string = HPRS DC1
> template shell = /bin/bash
> usershare allow guests = Yes
> usershare max shares = 10
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = HPRS
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config hprs:backend = ad
> idmap config hprs:schema_mode = rfc2307
> idmap config hprs:range = 10000-10099
That is not a smb.conf for a Samba AD DC, it is the smb.conf for a Unix
domain member>
> I then joined (I did not use the --dns-backend parameter):
>
> # samba-tool domain join hprs.local -U Administrator
The correct version should have been:
samba-tool domain join hprs.local DC -U Administrator
The command should also have failed because you had a smb.conf file, you
need to remove any existing smb.conf when joining a DC, the join would
then create a new one
> Password for [HPRS\Administrator]:
> Joined domain hprs.local (S-1-5-21-1052267278-1962196458-4119365663)
>
> That's all I got as output. I did not get the copious output described
in the
> Joining_a_Samba_DC_to_an_Existing_Active_Directory wiki.
>
> Also, I did not use --option='idmap_ldb' as the wiki suggested (the
original DC
> was provisioned with --use-rfc2307), because I didn't read far enough
in the
> wiki. Do you think this would make a difference? I can un-join and rejoin
if
> you think so.
>
> Unfortunately, the kerberos tests still fail:
Well it would, your new 'DC' doesn't appear to be a DC, it appears
to be
a Unix domain member.
>
> # kinit Administrator
> Password for Administrator at hprs.local:
> kinit: KDC reply did not match expectations while getting initial
credentials
>
> # klist
> klist: No credentials cache found (filename: /tmp/krb5cc_0)
>
> On the other hand, these commands on the existing domain member (not DC) do
> work. That member is running Samba Version 4.6.16 whereas the
"new" machine is Version
> 4.15.13. The DC is running Samba version 4.8.2.
>
> So, I think I'm a bit stuck trying to figure out how to get kerberos
working on
> this new machine. I have proceeded no further with the wiki instructions. I
was
> hoping starting samba would magically work.
>
I suggest you 'leave' the domain, remove the smb.conf and then try the
join again, this time with the 'DC' in the command.
Rowland