[Samba] Migrating, Upgrading & Testing Samba 4 PDC/BDC

[Rowland Penny]

On Wed, 28 Sep 2016 11:33:29 -0500
Bob of Donelson Trophy <bob at donelsontrophy.net> wrote:

> On 2016-09-28 11:22, Rowland Penny via samba wrote:
> 
> > On Wed, 28 Sep 2016 16:11:23 +0000
> > Charish Patel via samba <samba at lists.samba.org> wrote:
> > 
> >> Hi folks,
> >> 
> >> I've been tasked with a migration of our servers and, as the
> >> subject implies, part of it involves a PDC and BDC that were set
> >> up before my time. However, I'm trying to accomplish a little bit
> >> more to give myself, the sysadmin, a little bit more automation
> >> capability:
> >> 
> >> ·         Migrate the PDC and BDC both to new servers (part of this
> >> I've already done with copying /etc/passwd, group, shadow, and
> >> gshadow along with smb.conf, secrets.tdb and passwd.tdb. There is
> >> no LDAP and/or Kerberos configuration).
> >> 
> >> ·         Upgrade the PDC and BDC to AD Controllers that will work
> >> in redundancy.
> >> 
> >> ·         Updating our netlogon script to mount Samba shares based
> >> on the user logging in.
> >> 
> >> o   Part of this is getting a non-.bat script to work with both
> >> Windows and Mac (it's mostly a Windows environment, but we have 12
> >> Macs as well). I was thinking something along the lines of trying
> >> to detect the OS via a fastscan with nmap and, based on the OS,
> >> kick off logon.bat (Windows) or login.sh (for Macs) in order to
> >> mount the network shares as well as pushing out an agent for that
> >> takes an inventory of the workstations logging in.
> >> 
> >> §  The Macs haven't been joined to the domain yet, but with the new
> >> Samba instances it's something I'm looking into doing.
> >> 
> >> ·         The part that has me nervous: actually testing all this
> >> out. My biggest concern is if I spin up the new Samba AD
> >> controllers, it will interfere with the existing ones and thereby
> >> causing hell for my users. Is there any way to isolate the set up
> >> for testing so that, if it's successful, it'd just be a matter of
> >> shutting down the old PDC and BDC, spin up the new redundant AD
> >> controllers and have the users be able to continue working
> >> seamlessly.
> >> 
> >> This is my first time working with Samba to this extent and I've
> >> done some reading based on the documentation for Samba
> >> (specifically,
> >> https://www.samba.org/samba/docs/man/Samba-Guide/upgrades.html)
> >> and random blogs, but wanted to see if someone could provide a
> >> more exact answer. I'm not necessarily looking for the exact
> >> commands, just a guideline from some folks who may have done
> >> something like this before. What I'm currently working with:
> >> 
> >> Old setup
> >> PDC is running on Samba 4.1.17 on top of Debian 8
> >> with bind9 acting as the DNS server BDC is running on Samba 3.6.6
> >> on top of Debian 7 with bind9 running as well, but the
> >> configuration seems to be the default
> >> 
> >> New setup
> >> Debian 8.6 with Samba 4.2.10 for both servers that
> >> the soon-to-be redundant AD Controllers will be sitting on.
> >> 
> >> Please let me know if more information is needed and MUCH
> >> appreciated in advance to those who can help!
> >> 
> >> Charish
> > 
> > Is there some reason why you aren't considering upgrading to AD ?
> > 
> > Rowland
> 
> Rowland, she said that she was. (highlighted above . . . sorry.)
> 

Sorry, I just fixated on PDC and BDC.

I wouldn't use the 4.2.10 packages from debian, the 4.2.x series is now
EOL. There are 4.4.5 packages in sid and stretch, but then would you
want to run versions of debian in production that are also known as
unstable and testing.

I am rapidly coming to the opinion that it is probably best to compile
Samba yourself. This way, if you do hit a problem that is fixed in a
later version, or there is a patch to fix your problem, you can easily
compile samba again.

Rowland