[Samba] Need advice on upgrading from 4.3.11 to 4.8.3
Rowland Penny
rpenny at samba.org
Mon Jul 16 08:23:27 UTC 2018
On Mon, 16 Jul 2018 08:03:22 +0000 (UTC)
Taner Tas <taner76 at gmail.com> wrote:
> > Hi all,
> >
> > We have a Samba AD DC service running on Ubuntu 16.0.4 with Samba
> > 4.3.11. We are planning to upgrade it to a recent version, probably
> > 4.8.3.
> >
> > I think that I have two options:
> >
> > a) Package upgrade via 3rd party repositories (Louis Van Belle's
> > repo) by following wiki.
> >
> > b) A fresh install of 4.8.3 on another VM then join it to 4.3.11 as
> > backup DC, then transfer all FSMO roles on new and finally demote
> > older one.
> >
> > Since this a production environment, I have to accomplish this task
> > transparently. Is there anyone out there who did same task before?
> > I'll appreciate any advice regarding this.
> >
> > Thanks.
>
>
> I would go with option 'b', but it sounds like you only have one DC, I
> would also create a second DC. I would also ensure they were on
> different hardware, whether they are in VM's or not.
>
> Also, you should get out of calling DC's anything other than just a
> DC, all DC's are equal except for the FSMO roles and they can be on
> any DC.
>
> Rowland
>
> I tried to join 4.8.2 (latest one at Louis Van Belle's repo) but I
> got this error:
>
> -----------------
> ldc4# samba-tool domain join testdomain.org.tr DC
> -U"TESTDOMAIN\administrator" --dns-backend=BIND9_DLZ Finding a
> writeable DC for domain 'testdomain.org.tr' Found DC
> ldc1.testdomain.org.tr Password for [TESTDOMAIN\administrator]:
> workgroup is TESTDOMAIN
> realm is testdomain.org.tr
> Adding CN=LDC4,OU=Domain Controllers,DC=testdomain,DC=org,DC=tr
> Join failed - cleaning up
> ERROR(ldb): uncaught exception - LDAP error 68
> LDAP_ENTRY_ALREADY_EXISTS - <00002071: ../ldb_tdb/ldb_index.c:1216:
> Failed to re-index objectSid in CN=LDC4,OU=Domain
> Controllers,DC=testdomain,DC=org,DC=tr - ../ldb_tdb/ldb_index.c:1148:
> unique index violation on objectSid in CN=LDC4,OU=Domain
> Controllers,DC=testdomain,DC=org,DC=tr> <> File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 706,
> in run plaintext_secrets=plaintext_secrets) File
> "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, in
> join_DC ctx.do_join() File
> "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, in
> do_join ctx.join_add_objects() File
> "/usr/lib/python2.7/dist-packages/samba/join.py", line 616, in
> join_add_objects
>
> /etc/hosts:
> 10.220.1.19 ldc1.testdomain.org.tr ldc1
> 10.220.1.20 ldc2.testdomain.org.tr ldc2
> 10.220.1.22 ldc4.testdomain.org.tr ldc4
>
> /etc/hostname:
> ldc4
> -----------------
>
> I tested with "LDC3" hostname first, then changed hostname to "LDC4"
> after seeing a deleted DC record with "LDC3" name.
>
> # ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs
> --show-deleted | grep LDC3
>
> But changing hostname to "LDC4" didn't help either as can be seen
> above. I have same issue with 4.7.6 (Ubuntu official).
>
> I googled this "LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS" error
> during join operation. Some people had similar problem but without a
> solution.
>
> ---
> Taner Tas
Have you tried checking the database (samba-tool dbcheck) and compared
the databases on the existing DC's ?
You should also only have the 'new' DC's info in /etc/hosts, you should
rely on dns finding the other DC's i.e. point /etc/resolv.conf at a DC.
You googled the wrong thing ;-)
if you had used 'unique index violation on objectSid', you might have
found this:
https://lists.samba.org/archive/samba/2016-June/200737.html
The problem isn't the name, it might be a RID.
Rowland
More information about the samba
mailing list