[Samba] Need advice on upgrading from 4.3.11 to 4.8.3

Tue Jul 17 06:13:23 UTC 2018

>>> Hi all,
>>>
>>> We have a Samba AD DC service running on Ubuntu 16.0.4 with Samba
>>> 4.3.11. We are planning to upgrade it to a recent version, probably
>>> 4.8.3.
>>>
>>> I think that I have two options:
>>>
>>> a) Package upgrade via 3rd party repositories (Louis Van Belle's
>>> repo) by following wiki.
>>>
>>> b) A fresh install of 4.8.3 on another VM then join it to 4.3.11 as
>>> backup DC, then transfer all FSMO roles on new and finally demote
>>> older one.
>>>
>>> Since this a production environment, I have to accomplish this task
>>> transparently. Is there anyone out there who did same task before?
>>> I'll appreciate any advice regarding this.
>>>
>>> Thanks.
>>
>> I would go with option 'b', but it sounds like you only have one DC, I
>> would also create a second DC. I would also ensure they were on
>> different hardware, whether they are in VM's or not.
>>
>> Also, you should get out of calling DC's anything other than just a
>> DC, all DC's are equal except for the FSMO roles and they can be on
>> any DC.
>>
>> Rowland
>>
>> I tried to join 4.8.2 (latest one at Louis Van Belle's repo) but I
>> got this error:
>>
>> -----------------
>> ldc4# samba-tool domain join testdomain.org.tr DC
>> -U"TESTDOMAIN\administrator" --dns-backend=BIND9_DLZ Finding a
>> writeable DC for domain 'testdomain.org.tr' Found DC
>> ldc1.testdomain.org.tr Password for [TESTDOMAIN\administrator]:
>> workgroup is TESTDOMAIN
>> realm is testdomain.org.tr
>> Adding CN=LDC4,OU=Domain Controllers,DC=testdomain,DC=org,DC=tr
>> Join failed - cleaning up
>> ERROR(ldb): uncaught exception - LDAP error 68
>> LDAP_ENTRY_ALREADY_EXISTS -  <00002071: ../ldb_tdb/ldb_index.c:1216:
>> Failed to re-index objectSid in CN=LDC4,OU=Domain
>> Controllers,DC=testdomain,DC=org,DC=tr - ../ldb_tdb/ldb_index.c:1148:
>> unique index violation on objectSid in CN=LDC4,OU=Domain
>> Controllers,DC=testdomain,DC=org,DC=tr> <> File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 176, in _run return self.run(*args, **kwargs) File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 706,
>> in run plaintext_secrets=plaintext_secrets) File
>> "/usr/lib/python2.7/dist-packages/samba/join.py", line 1482, in
>> join_DC ctx.do_join() File
>> "/usr/lib/python2.7/dist-packages/samba/join.py", line 1381, in
>> do_join ctx.join_add_objects() File
>> "/usr/lib/python2.7/dist-packages/samba/join.py", line 616, in
>> join_add_objects
>>
>> /etc/hosts:
>> 10.220.1.19     ldc1.testdomain.org.tr      ldc1
>> 10.220.1.20     ldc2.testdomain.org.tr      ldc2
>> 10.220.1.22     ldc4.testdomain.org.tr      ldc4
>>
>> /etc/hostname:
>> ldc4
>> -----------------
>>
>> I tested with "LDC3" hostname first, then changed hostname to "LDC4"
>> after seeing a deleted DC record with "LDC3" name.
>>
>> # ldbsearch -H /var/lib/samba/private/sam.ldb --cross-ncs
>> --show-deleted | grep LDC3
>>
>> But changing hostname to "LDC4" didn't help either as can be seen
>> above. I have same issue with 4.7.6 (Ubuntu official).
>>
>> I googled this "LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS" error
>> during join operation. Some people had similar problem but without a
>> solution.
>>
>> ---
>> Taner Tas
> Have you tried checking the database (samba-tool dbcheck) and compared
> the databases on the existing DC's ?
>
> You should also only have the 'new' DC's info in /etc/hosts, you should
> rely on dns finding the other DC's i.e. point /etc/resolv.conf at a DC.
>
> You googled the wrong thing ;-)
> if you had used 'unique index violation on objectSid', you might have
> found this:
>
> https://lists.samba.org/archive/samba/2016-June/200737.html
>
> The problem isn't the name, it might be a RID.
>
> Rowland

You are right. The problem was inconsistent VM snapshots that I was using on
my test setup which causing unstable behavior.

I followed same steps with new VM snapshots then join operation has succeeded.
Now I have to do some tests on my test setup before and after demoting old ones.

---
Taner Tas