Add ns7 Samba Domain Controller to an existing Active Directory

For the time being, the server manager allows provisioning a new Samba Active Directory domain controller for a new domain. However we can also configure a Samba Domain Controller and join it to an existing Active Directory forest, by following the official procedure from Samba wiki.
In NethServer 7 the Samba4 Domain Controller runs confined into a Linux Container and requires some additional steps to be configured; this is the discussion about why Samba DC runs in a container.

This procedure is experimental and incomplete. It is not designed to work on production environments. It does not integrate with NethServer backup/restore procedure. According to Samba docs, a domain controller is never restored. A new controller is joined instead, as explained on

https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC

See this document to remove a domain controller from an AD domain:

https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC

Synchronize the sysvol share contents as explained (for instance) here:

https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround

install nethserver-dc

yum install nethserver-dc

in server-manager, configure a green bridge interface (say br0), pick a free IP address from your LAN (say 192.168.122.123). Then assign the bridge and IP to the nsdc container:

config setprop nsdc IpAddress 192.168.122.123 bridge br0 status enabled ProvisionType wikiadditionaldc

set the DNS domain name (Realm) and Netbios domain name (Workgroup) values

config setprop sssd Realm SAMDOM.EXAMPLE.COM Workgroup SAMDOM

patch nethserver-dc-join action and write the join credentials to a special file:

curl https://github.com/NethServer/nethserver-dc/commit/cffad561fbfe8c1ef93ad4d52afedca8537858a5.patch | patch -d / -u -p2
echo -e 'adminuser\npassword' > /root/.joincredentials

follow the messages log in background

tail -f /var/log/messages &

run manually the nethserver-dc-firststart action and follow the log…

/etc/e-smith/events/actions/nethserver-dc-firststart ev

The nsdc container is created, by downloading additional RPMs then started. However the samba DC service cannot be started at this point – we implicitly disabled it when we set ProvisionType wikiadditionaldc – thus the action waits indefinitely. When the following lines appear in the log, stop the action by pressing Ctrl+Z

May 30 09:45:55 neth systemd-nspawn: CentOS Linux 7 (Core)
May 30 09:45:55 neth systemd-nspawn: Kernel 3.10.0-514.el7.x86_64 on an x86_64
May 30 09:46:09 neth kernel: br0: port 2(vb-nsdc) entered forwarding state

This is the stopped process:

[root@neth ~]# ps f
  PID TTY      STAT   TIME COMMAND
21440 pts/1    Ss     0:00 -bash
 1982 pts/1    S      0:00  \_ tail -f /var/log/messages
 1983 pts/1    T      0:00  \_ /usr/bin/perl -w /sbin/e-smith/signal-event nethserver-dc-save
 3459 pts/1    T      0:00  |   \_ /bin/bash /etc/e-smith/events/nethserver-dc-save/S95nethserver-dc-waitstart nethserver-dc-save
 3549 pts/1    T      0:00  |       \_ sleep 5
 3580 pts/1    R+     0:00  \_ ps f
 3519 pts/0    Ss+    0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
 3732 tty1     Ss+    0:00 -bash

install additional packages on nsdc (can be done later, too)

yum -y --releasever=7 --installroot=/var/lib/machines/nsdc install vi iputils iproute bind-utils    

get a shell on nsdc:

systemd-run -t -M nsdc /bin/bash

From a nsdc shell, edit (vi) /etc/resolv.conf and add the IP of an existing domain controller (i.e. 192.168.122.1) as primary nameserver (ref. Samba Wiki).

domain samdom.example.com
nameserver 192.168.122.1
nameserver 127.0.0.1

Refer to the Samba wiki for the samba-tool invocation:

https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller

This was my samba-tool invocation:

samba-tool domain join samdom.example.com DC -U'SAMDOM\administrator' --password=secretpass --dns-backend=SAMBA_INTERNAL --option="include = /etc/samba/smb.conf.include"

At the end of the procedure, run additional commands in nsdc shell:

cp -av /var/lib/samba/private/krb5.conf /etc/krb5.conf

Exit from the container shell. From the host machine:

expand-template  /var/lib/machines/nsdc/etc/resolv.conf
systemctl stop nsdc
systemctl start nsdc

To check the status of the container:

systemctl status nsdc

To see the container system log:

journalctl -M nsdc

Now that nsdc is running with a Samba4 DC instance we can resume the join procedure. In the host machine:

fg

In the “messages” log file a couple of errors occur, and can be ignored:

[ERROR] UPN suffix update failed (LdapUri=ldaps://192.168.122.88)
...
ERROR(exception): Failed to add members "VM8$" to group "Account Operators" - Unable to find "VM8$". Operation cancelled.
   

If everything is ok this should return a record

getent passwd administrator

And this one too

getent passwd administrator@$(hostname -d)

Verify replication works correctly. Get a nsdc shell then type:

samba-tool drs showrepl

If there are failures, refer to this document:

https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record