[Samba] Howto test upgrades?

Johannes Amorosa | Celluloid VFX johannesa at celluloid-vfx.com
Wed Apr 20 07:29:09 UTC 2016

On 04/19/2016 04:39 PM, Klaus Hartnegg wrote:
> Hi,
> maybe this thread should ask an even more general question:
> How are AD-DC admins supposed to test upgrades? If there is more than 
> one AD-DC, an upgraded DC which causes problems cannot (must not) be 
> restored from backup. This is one of the reasons why I do not want to 
> switch to AD. A PDC *can* simply be restored from backup. It is even 
> enough to switch back to the previous contents of /usr/local/samba, a 
> matter of seconds.
Since the upgrade to an AD domain (1.5 years) we have several issues 
with samba AD and we never achieved the feeling of being in control. To 
be fair samba has a much bigger
responsibility than before and we can do things we couldn't before.

We are deploying our software with ansible and dynamically generating 
docker containers - I'm trying to create an ansible playbook for samba 
with three different flavors:

1. Create new domain controller from template for desaster recovery:  
Install configuration, add users, add groups, add dns entries  - all 
from (plain text) backup.
2. Add new domain controller to existing domain (Join, rsync sysvol ..)
3. Create domain member (file server): Install configuration, pam... --> 
done already

This is a lot of effort because we didn't really understand how to 
continuously backup and replay a running domain. Samba gives us so much 
headache that it is
worth to dedicate some time in this to get it right.

These playbooks can be run on vms, containers and real server for 
continuously testing. Yup we're paranoid.

I believe the truth is to have a replay strategy and testing it 
automatically with a backup, this is at least for me the only confidence 
I get running software we are depending on.
Samba has to be treated like other (web-)software and continuous 
integration is the key here - then the update day is not always so 

Samba is great but my 2 cents it would be helpful if samba development 
would focus a bit more on integrated backup strategies and easy robust 
deployment. These things come in mind:

- sysvol replication integrated
- automatic promoting/joining/replicating etc. I never wan't to be 
bothered using samba-tool for normal replicated setup - One namespace in 
config should do the trick.
- integrated backup tool for everything that needs to be backupd to 
bring up the same domain with one command: samba import backup

Not to get me wrong a lot of issues are already been working on and a 
lot of things have been simplified.

Samba should feel more like i.e. MongoDB where it is trivial to add and 
remove instances dynamically, making backups, but of course that is 
comparing different things.
Hope this helps

> Should we force all clients to use/test the upgraded DC by switching 
> the other DCs off, and in case of problems turn the new DC off, the 
> others back on, and then wipe the upgraded DC? Is it enough to wipe 
> /usr/local/bin, make install, rejoin, copy sysvol?
> regards,
> Klaus

Johannes Amorosa | Celluloid VFX

Celluloid Visual Effects GmbH & Co. KG
Paul-Lincke-Ufer 39/40, 10999 Berlin

More information about the samba mailing list