[Discuss] Replacing AD with Samba4

[richb at pioneer.ci.net (Rich Braun)]

I've been using Server 2008r2 to run a pair of Active Directory servers for a
few years.  TechNet's gone bye-bye so I was hoping Samba4 was mature enough to
serve as a replacement.

Alas, setting up a backup/secondary DC attached to my existing AD servers has
proven difficult.  I'm building samba 4.2.3 from scratch.  I ran into two
installation bugs for which the workarounds are:

samba-tool dns add dc01 ether.ci.net dc03 A 192.168.2.63 -Uadministrator
/usr/local/samba/bin/net changesecretpw -f

where dc01 is the existing primary DC, and dc03 is my new one at IP
192.168.2.63.  I can authenticate to the credentials that are stored on my
primary DC using the smbclient command.

There are still two problems, though:

1) 'samba-tool drs showrepl' gets a NT_STATUS_LOGON_FAILURE (meaning I can't
verify that replication's working, or not).

2) The samba_dnsupdate process gets an error in syslog "RuntimeError: kinit
for DC03$@ETHER.CI.NET failed (Preauthentication failed)" and prevents the
internal DNS server from coming up.

I think I've probably got kerberos misconfig problems, but note that my
kerberos install is also from scratch, attempting to follow instructions at
the Samba site. I'm not sure why my configuration's so different from anything
that google or the Samba wiki shouldn't be able to address: samba4 came out
around 2011, and all I'm doing is a what should be in any build-from-source /
set up replication from Server 2008 tutorial.

Any suggestions?  Is this known to work?  Maybe I should just keep my Windows
servers?  But they're 6+ years old and probably fraught with security holes.

-rich