Convert Member Server to DC

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Convert Member Server to DC

Samba - General mailing list
I have some hardware running CentOS 7 and Sernet Samba 4.7 that started
out as a member server that I would like to make into a 2nd DC. However
I am having trouble converting it because it seems I am not removing all
the remnants of the client setup. What I thought I would have to do is this:

1.) net ads leave -U administrator
2.) Remove the machine entry on the 1st DC
3.) mv /var/lib/samba /var/lib/samba-client
4.) mv /etc/krb5.keytab /etc/krb5.keytab-client
5.) samba-tool domain join 2nd DC

I am having problems right off the start in that item 1.) throws this
message:
 > net ads leave -U 'MYDC\administrator'
Enter MYDC\administrator's password:
Disabled account for 'MACHINE' in realm '(null)'

I thought this command would remove the machine account from the 1st DC
but it does not seem to do that hence item 2. Is it good enough to just
remove the machine account via ldbedit? The last part "in realm
'(null)'" bothers me as it seems the realm should not be null. On the
other hand I can re-join as a client with no issues.

 > net ads join -U 'MYDC\administrator'
Enter MYDC\administrator's password:
Using short domain name -- MYDC
Joined 'MACHINE' to dns domain 'mydc.mydom.com'

Steps 3 and 4 are there for backup in case I want to go back to having
the machine as a client. And 5 would be to join the machine as a 2nd
DC... obviously I would follow all the wiki instructions at step 5. Is
there anything else I have to do to convert?

--
Paul ([hidden email])
Cell: (303)257-5208

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Convert Member Server to DC

Samba - General mailing list
On 12/30/2017 05:22 PM, Paul R. Ganci via samba wrote:
> 1.) net ads leave -U administrator
> 2.) Remove the machine entry on the 1st DC (used ldbedit)
> 3.) mv /var/lib/samba /var/lib/samba-client
> 4.) mv /etc/krb5.keytab /etc/krb5.keytab-client
> 5.) samba-tool domain join 2nd DC
I tried this procedure and it just doesn't want to work. I have this error:

 >samba-tool domain join mydc.mydom.com DC -U"MYDC\administrator"
--dns-backend=SAMBA_INTERNAL
Password for [MYDC\administrator]:
workgroup is MYDC
realm is mydc.mydom.com
Deleted CN=DC2,CN=Computers,DC=mydc,DC=mydom,DC=com
Adding CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com
Adding
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
Adding CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
Adding SPNs to CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com
Setting account password for DC2$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at
/var/lib/samba/private/krb5.conf
Join failed - cleaning up
Deleted CN=DC2,OU=Domain Controllers,DC=mydc,DC=mydom,DC=com
Deleted CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
Deleted
CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydc,DC=mydom,DC=com
ERROR(ldb): uncaught exception - Failed to setup krb5_context: Invalid
argument
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 661, in run
     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
   File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1474,
in join_DC
     ctx.do_join()
   File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1376,
in do_join
     ctx.join_provision()
   File "/usr/lib64/python2.7/site-packages/samba/join.py", line 840, in
join_provision
     use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend)
   File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
2199, in provision
     secrets_ldb.transaction_commit()

The kerberos setup is per the wiki and seems to be correct:

 > kinit administrator
Password for [hidden email]:
 > klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [hidden email]

Valid starting       Expires              Service principal
12/30/2017 19:43:53  12/31/2017 05:43:53
krbtgt/MYDC>[hidden email]

I don't have a clue as to why this join would have failed. I put back
the member server setup and have no problems joining the domain. Any
clues as to what else I have to remove in order to turn this member
server into a DC? Should I just delete everything including the Sernet
samba distro and re-install from scratch?

--
Paul ([hidden email])
Cell: (303)257-5208

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Convert Member Server to DC

Samba - General mailing list
On 12/30/2017 07:58 PM, Paul R. Ganci via samba wrote:

> On 12/30/2017 05:22 PM, Paul R. Ganci via samba wrote:
>> 1.) net ads leave -U administrator
>> 2.) Remove the machine entry on the 1st DC (used ldbedit)
>> 3.) mv /var/lib/samba /var/lib/samba-client
>> 4.) mv /etc/krb5.keytab /etc/krb5.keytab-client
>> 5.) samba-tool domain join 2nd DC
> I tried this procedure and it just doesn't want to work. I have this
> error:
>
> >samba-tool domain join mydc.mydom.com DC -U"MYDC\administrator"
> --dns-backend=SAMBA_INTERNAL
>
Okay I finally got this all to work. What seemed to help was to move
everything out of the way and then I re-installed the Sernet Samba to
re-create a clean /var/lib/samba. Then the samba-tool domain join worked
as advertised.
--
Paul ([hidden email])
Cell: (303)257-5208

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba