Show pagesourceOld revisionsBacklinksBack to top Share via Share via... Twitter LinkedIn Facebook Pinterest Telegram WhatsApp Yammer RedditRecent ChangesSend via e-MailPrintPermalink × # Add ns7 Samba Domain Controller to an existing Active Directory For the time being, the server manager allows provisioning a new Samba Active Directory domain controller for a new domain. However we can also configure a Samba Domain Controller and join it to an existing Active Directory forest, by following the [official procedure from Samba wiki](https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory). In NethServer 7 the Samba4 Domain Controller runs confined into a Linux Container and requires some additional steps to be configured; this is the discussion about [why Samba DC runs in a container](http://community.nethserver.org/t/i-still-dont-get-why-samba-has-to-be-run-in-a-container/4878). ## Experimental This procedure is experimental and incomplete. It is not designed to work on production environments. It does not integrate with NethServer backup/restore procedure. According to Samba docs, a domain controller is never restored. A new controller is joined instead, as explained on https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC See this document to remove a domain controller from an AD domain: https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC Synchronize the ``sysvol`` share contents as explained (for instance) here: https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround ## Prerequisites install nethserver-dc yum install nethserver-dc in server-manager, configure a green bridge interface (say br0), pick a free IP address from your LAN (say 192.168.122.123). Then assign the bridge and IP to the nsdc container: config setprop nsdc IpAddress 192.168.122.123 bridge br0 status enabled ProvisionType wikiadditionaldc set the DNS domain name (Realm) and Netbios domain name (Workgroup) values config setprop sssd Realm SAMDOM.EXAMPLE.COM Workgroup SAMDOM patch ``nethserver-dc-join`` action and write the join credentials to a special file: curl https://github.com/NethServer/nethserver-dc/commit/cffad561fbfe8c1ef93ad4d52afedca8537858a5.patch | patch -d / -u -p2 echo -e 'adminuser\npassword' > /root/.joincredentials follow the messages log in background tail -f /var/log/messages & run manually the nethserver-dc-firststart action and follow the log… /etc/e-smith/events/actions/nethserver-dc-firststart ev The nsdc container is created, by downloading additional RPMs then started. However the samba DC service cannot be started at this point – we implicitly disabled it when we set ``ProvisionType wikiadditionaldc`` – thus the action waits indefinitely. When the following lines appear in the log, stop the action by pressing ``Ctrl+Z`` May 30 09:45:55 neth systemd-nspawn: CentOS Linux 7 (Core) May 30 09:45:55 neth systemd-nspawn: Kernel 3.10.0-514.el7.x86_64 on an x86_64 May 30 09:46:09 neth kernel: br0: port 2(vb-nsdc) entered forwarding state This is the stopped process: [root@neth ~]# ps f PID TTY STAT TIME COMMAND 21440 pts/1 Ss 0:00 -bash 1982 pts/1 S 0:00 \_ tail -f /var/log/messages 1983 pts/1 T 0:00 \_ /usr/bin/perl -w /sbin/e-smith/signal-event nethserver-dc-save 3459 pts/1 T 0:00 | \_ /bin/bash /etc/e-smith/events/nethserver-dc-save/S95nethserver-dc-waitstart nethserver-dc-save 3549 pts/1 T 0:00 | \_ sleep 5 3580 pts/1 R+ 0:00 \_ ps f 3519 pts/0 Ss+ 0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220 3732 tty1 Ss+ 0:00 -bash install additional packages on nsdc (can be done later, too) yum -y --releasever=7 --installroot=/var/lib/machines/nsdc install vi iputils iproute bind-utils get a shell on nsdc: systemd-run -t -M nsdc /bin/bash ## Samba domain provision From a nsdc shell, edit (vi) ``/etc/resolv.conf`` and add the IP of an existing domain controller (i.e. ``192.168.122.1``) as primary ``nameserver`` (ref. [Samba Wiki](https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#DNS_Configuration_on_Domain_Controllers)). domain samdom.example.com nameserver 192.168.122.1 nameserver 127.0.0.1 Refer to the Samba wiki for the ``samba-tool`` invocation: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller This was my ``samba-tool`` invocation: samba-tool domain join samdom.example.com DC -U'SAMDOM\administrator' --password=secretpass --dns-backend=SAMBA_INTERNAL --option="include = /etc/samba/smb.conf.include" At the end of the procedure, run additional commands in nsdc shell: cp -av /var/lib/samba/private/krb5.conf /etc/krb5.conf Exit from the container shell. From the host machine: expand-template /var/lib/machines/nsdc/etc/resolv.conf systemctl stop nsdc systemctl start nsdc To check the status of the container: systemctl status nsdc To see the container system log: journalctl -M nsdc ## Join NethServer to its container Now that nsdc is running with a Samba4 DC instance we can resume the join procedure. In the host machine: fg In the “messages” log file a couple of errors occur, and can be ignored: [ERROR] UPN suffix update failed (LdapUri=ldaps://192.168.122.88) ... ERROR(exception): Failed to add members "VM8$" to group "Account Operators" - Unable to find "VM8$". Operation cancelled. ## Final checks If everything is ok this should return a record getent passwd administrator And this one too getent passwd administrator@$(hostname -d) Verify replication works correctly. Get a nsdc shell then type: samba-tool drs showrepl If there are failures, refer to this document: https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record ## Discussion http://community.nethserver.org/t/replace-existing-ad-domain-controller-with-ns-rc1/4796/14 v7, accounts-provider howto ht v7 howto/add_ns7_samba_domain_controller_to_existing_active_directory.txt Last modified: 2017/10/02 06:51by Davide Principi