What you want to do in AD terms is set a custom userPrincipalName for every user in the directory, not rename the domain; domains can't be renamed without significant changes in AD (see the RENDOM tool) and I don't believe an equivalent to that exists for samba.
I don't believe Samba 4 supports this, so unless I am wrong you will have to "migrate" the user accounts, meaning creating them all anew on a new instance of a new samba domain with the correct name.
Regarding Kerberos configuration
Samba as an AD/DC ships and runs its own Kerberos server (KDC). So there should not be a need to separately install and configure the kerberos server.
Also, Samba's provisioning tool (samba-tool domain provision
) produces an example krb5.conf
file at the end. You should be able to simply copy that to /etc/krb5.conf
.
Regarding DNS configuration
You chose to use Samba's internal DNS server, which is the standard safe choice. If your resolv.conf
file already contained 127.0.0.1
as nameserver entry before, then you probably need to do some changes. Assuming that your server was not a DNS server before, you should not modify resolv.conf
before running samba-tool domain provision
. Then samba-tool
would propose 213.186.33.99
from your resolv.conf
as the DNS forwarder, and this would be the correct choice. This is the DNS server to which Samba will forward all requests that are not for its own domain.
After Samba's provisioning is done, you should change your resolv.conf
to only list 127.0.0.1
as nameserver. And it should contain kimsufi.com
as domain and search entries. But see below for comments on using this domain.
Regarding using the domain kimsufi.com
Your Samba server needs to be authoritative for the DNS domain that you are using as realm/domain for the provision. That means that you should not use the domain of your hoster or any other domain that exists externally.
Whether you need to buy a new domain depends on how you want your new Samba AD domain to be accessed:
- If you want to use it in an isolated network, then you can simply make up a domain like
mydomain.private
and have your AD server own it and have your AD clients use it.
- If instead you want your AD server to be reachable over the internet via an officially known internet domain, then you should own such a domain. This does not require a full domain. it could in principle also be a subdomain of an existing domain like
myaddom.somedomain.com
, but you need control over it. That being said, it is not very advisable to expose an AD server on the internet, so hopefully you are using the first approach.
More information
See the Samba AD DC HOWTO for more information.
Best Answer
Assuming we use Ubuntu and Samba 4 is configured as a DC (Active Directory Domain Controller) and we want to change the user with name
Old User
and loginolduser
. To just rename a users login name, we can usesamba-tool
:This will open an editor showing the content of the LDAP entry. Change the attributes
sAMAccountName
anduserPrincipalName
, save and exit. You may also want to rename any existing home directory of the user.We can also edit the LDAP entry directly without using the
samba-tool
but with theldb-tools
.Install
ldb-tools
:Now we can use the
ldb-tools
(ldbadd
,ldbdel
,ldbedit
,ldbmodify
,ldbrename
,ldbsearch
) to search or modify the LDAP database directly.Locate the Samba LDAP database:
If you installed an Ubuntu packaged version of
samba
, this file should be found at/var/lib/samba/private/sam.ldb
.Let's first have a look at that user in the LDAP database:
Search the database:
We use
ldbsearch
for that with the following syntax:With the
<ldap-filter>
we can specify an expression to filter the entries returned by the search. We can for example usesAMAccountName=olduser
to filter based on the login name attribute orCN=Old User
to filter based on the CN (Common Name) attribute:Change the login name attributes
Create a text file (
rename-login.ldif
) with the following contents:This will modify the attributes
sAMAccountName
anduserPrincipalName
:Rename the LDAP entry by renaming the RDN (Relative Distinguished Name)
It looks like renaming an LDAP entry is not possible using the
samba-tool
and we have to useldb-tools
:This will also change the attributes
cn
andname
, but not some other attributes, still containing the old user name as shown by the next search:Modify the remaining attributes
To also change some other attributes, like for example
givenName
,displayName
ormail
, we can use:and edit the user interactively or use another
ldbmodify
as follows:Create a text file (
rename-other-attrs.ldif
) with the following contents:Modify the LDAP entry::