[Samba] Samba Upgrade-iad
repenny241155 at gmail.com
Wed Nov 5 10:35:41 MST 2014
On 05/11/14 17:00, ray klassen wrote:
> so your question is essentially, why aren't you doing it like me?
Well no, What I was trying to get at was, why are you making things hard
for yourself ? do you know something I don't ? is it better to compile
samba4 & bind yourself ?
PS can you please stop replying direct to me and keep it on list.
> OK then. I might in future. I don't know. I imagine there are dozens
> of ways to do what we do.
> I thought there was some compelling technical reason why I had to go
> the backports route. If I did it the hard way, so be it. When I first
> started sysadmin-ing full time I did everything on gentoo. It was
> crazy but I learned twice or three times what I would have learned
> otherwise. Now of course, it's too time consuming. Maybe this will be
> the same.
> On Wednesday, 5 November 2014, 1:52, Rowland Penny
> <repenny241155 at gmail.com> wrote:
> On 04/11/14 19:18, ray klassen wrote:
> > Back when I was first exploring samba4, the debian packages were
> > expressly without the active directory component. From your question,
> > I assume that has changed?
> > The bind9 thing was to enable dlopen which the stock debian bind
> > didn't come with. Again, are you saying that the backports version has
> > that?
> > I don't go to backports as the first choice, generally. Especially
> > when the wiki seems to describe the compile process as the main
> > install method.
> > On Thursday, 30 October 2014, 6:34, Rowland Penny
> > <repenny241155 at gmail.com <mailto:repenny241155 at gmail.com>> wrote:
> > On 29/10/14 22:13, ray klassen wrote:
> > > First of all let me congratulate the wiki writers. The step by step
> > classic-upgrade guide is very helpful. Here are my notes on the
> > various steps of the upgrade.
> > >
> > > -- created a vanilla debian wheezy install, installed all the
> > prerequisites as well as "devscripts,"
> > > --compiled, installed samba using samba-4.1.2
> > > -- created symbolic links from /usr/local/samba/bin to
> > /usr/local/bin and /usr/local/samba/sbin to /usr/local/sbin because
> > those directories are in $PATH and from /usr/local/samba/etc/ to
> > /etc/samba and from /usr/local/samba/var/log.* to /var/log/samba/* so
> > that those files will be where I expect.
> > > -- installed slapd, copied over the current ldap files, configured
> > slapd to load them-- copied smb.conf and various *db files to a
> > directory-- downloaded the debian bind9 source deb, added
> > --with-dlopen=yes to EXTRA_FEATURES= in the debian/rules file
> > > --ran debuild -us -uc from bind9 source dir -- created debs with
> > dlopen support (this is what devscripts was for.
> > > --ran samba-tool doman classicupgrade... with --dns-backend=BIND_DLZ
> > etc.
> > Can I ask why you compiled samba4 & Bind9 ?, bearing in mind that samba
> > 4.1.11 (soon to be 4.1.13) and bind 9.9.5 are both available from
> > backports ?
> > Rowland
> > > --several colisions had to be edited out of the ldap directory
> > before the upgrade would complete -- a trusted domain account had to
> > be removed-- an early phase of the classicupgrade script warned me
> > that it would not be imported, but a later phase choked apparently
> > because it hadn't been imported. Bug? -- two groups had different
> > groupnames but the same DisplayName. that had to be changed.
> > > -- played around with dns. Found that windows boxes really like to
> > talk to the domain controller itself and not a slave.
> > >
> > > ONGOING MOP-UP
> > > -- have been busy reconnecting all the services that depended on
> > ldap to active directory, learning kerberos
> > >
> > > -----------------
> > > Some things did not work as expected. 1) all the computers did not
> > automatically join the new domain. Some did and some did not. The
> > computers that were at the head office presumably in the same
> > broadcast domain all joined automatically, once I configured the
> > domain controller as DNS server assigned by DHCP. The computers at our
> > satellite offices (approximately 30) did not. This maybe because I had
> > LMHOSTS files on all those machines, except that after delete and
> > reboot, (DNS still pointed at the DC -- I didn't forget) they didn't
> > autoconnect. I have manually had to move them from OURDOMAIN to
> > OURDOMAIN.sample.com and then they function normally as domain members.
> > > THE SHOW STOPPER (not addressed anywhere although I would think it a
> > fairly obvious course of action): Our main production file server is
> > still running samba 3 and I didn't see any reason to upgrade it at
> > this point, as from my experiments earlier I found that the permission
> > semantics would now be NTFSish and I had a fair amount of data being
> > shared in numerous shares with the assumption of unix permissions --
> > lots of "force group" and "create mask" directives. So I would think
> > that having created an AD DC I could load up winbind and just connect
> > to the new domain controller and it successfully did join. And Then...
> > nothing. Winbind could not download any list of users. wbinfo -u gave
> > me nothing. after a lot of searching I found that "wbinfo -t" would
> > test your your connection (not having used much winbind before, I
> > didn't know) and it appeared that the secrets.tdb file did not have
> > the right info for winbind to use. Not knowing anything else to do I
> > shut down samba and winbind, deleted secrets.tdb and performed a net
> > join again. After that wbinfo -t was successful and wbinfo -u gave the
> > standard list of users. reconfiguring nss from ldap to winbind, etc.
> > is documented elsewhere.
> > >
> > > !!! if fhis is a standard method (i.e. if simply deleting
> > secrets.tdb is acceptable) I'll put something on the wiki (I can) in
> > the classic upgrade page about repurposing an existing samba3/LDAP
> > domain controller. Because it really is a showstopper when you can't
> > actually connect back to your data.
> > > -- The other thing that had to be done was any shares in smb.conf on
> > the repurposed file server with limited access based on user or group
> > had to be changed to "ourdomain\user" or "ourdomain\group" but this,
> > though painful was just par for the course.
> > >
> > > Anyhow, the wiki seems to indicate that you want accounts of
> > upgrades. here's mine with emphasis on the stuff that wasn't covered
> > as well as it might have been
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> Hi, I am running Debian 7.5 AD DC with samba 4.1.11 & bind 9.9.5 from
> backports without problem, does that answer your question ?
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba-technical