[Samba] Upgrade Samba 4

L.P.H. van Belle belle at bazuin.nl
Fri Aug 30 12:22:58 UTC 2019


Yes, you can transfer the roles, but personaly, i never do that. 
I upgrade as is, everything looks good atm, so i dont think moving roles is really needed. 
 
 
Greetz, 
 
Louis
 
 

Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] 
Verzonden: vrijdag 30 augustus 2019 14:07
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Upgrade Samba 4



Hi,

I was able to update.

Apparently everything is OK.

Is it safe to transfer FSMO rols to DC2 (samba 4.10.7) to upgrade DC1 (Samba 4.5.16)? 

Below are the tests I did:

Checking smb.conf with testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Done
Checking smb.conf with samba-tool
INFO 2019-08-30 08:46:53,674 pid:6665 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb config files from /etc/samba/smb.conf
INFO 2019-08-30 08:46:53,675 pid:6665 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: Loaded services file OK.
Done
Setting up winbind (2: 4.10.7-0.1 ~ deb9) ...
Samba is being run as an AD Domain Controller: Masking winbind.service
Please ignore the following error about deb-systemd-helper not finding those services.
(winbind.service already masked)
Setting up samba (2: 4.10.7-0.1 ~ deb9) ...
Samba is being run as an AD Domain Controller: Masking smbd.service nmbd.service
Please ignore the following error about deb-systemd-helper not finding those services.
(smbd.service already masked)
(nmbd.service already masked)
Processing triggers for libc-bin (2.24-11 + deb9u4) ...

root at samba4-dc2:~# samba -V
Version 4.10.7-Debian


root at samba4-dc2:~# systemctl status samba-ad-dc
samba-ad-dc.service - Samba AD Daemon
   Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-08-30 08:48:26 -03; 21s ago
     Docs: man:samba(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 6992 (samba)
   Status: "smbd: ready to serve connections..."
    Tasks: 23 (limit: 4915)
   CGroup: /system.slice/samba-ad-dc.service
            6992 samba: root process
            6993 samba: task[s3fs_parent]
            6994 samba: task[dcesrv]
            6995 samba: task[nbtd]
            6996 samba: task[wrepl]
            6997 samba: task[ldapsrv]
            6998 samba: tfork waiter process
            6999 samba: task[cldapd]
            7000 samba: conn[kdc_tcp] c[ipv4:MailScanner warning: numerical links are often malicious: 192.168.91.14:59442] s[ipv4:MailScanner warning: numerical links are often malicious: 192.168.1.22:88] server_id[7000.40]
            7001 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
            7002 samba: task[dreplsrv]
            7003 samba: task[winbindd_parent]
            7004 samba: task[ntp_signd]
            7005 samba: task[kccsrv]
            7006 samba: task[dnsupdate]
            7007 samba: task[dns]
            7008 samba: tfork waiter process
            7009 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
            7017 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
            7018 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
            7019 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
            7022 winbindd: domain child [EMPRESA]
            7023 winbindd: idmap child

ago 30 08:48:26 samba4-dc2 samba[7006]: task[dnsupdate][7006]: [2019/08/30 08:48:26.873694,  0] ../../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
ago 30 08:48:26 samba4-dc2 samba[7006]: task[dnsupdate][7006]:   /usr/sbin/samba_dnsupdate: GENSEC backend 'http_ntlm' registered
ago 30 08:48:26 samba4-dc2 samba[7006]: task[dnsupdate][7006]: [2019/08/30 08:48:26.873741,  0] ../../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
ago 30 08:48:26 samba4-dc2 samba[7006]: task[dnsupdate][7006]:   /usr/sbin/samba_dnsupdate: GENSEC backend 'http_negotiate' registered
ago 30 08:48:26 samba4-dc2 samba[7006]: task[dnsupdate][7006]: [2019/08/30 08:48:26.873788,  0] ../../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
ago 30 08:48:26 samba4-dc2 samba[7006]: task[dnsupdate][7006]:   /usr/sbin/samba_dnsupdate: GENSEC backend 'krb5' registered
ago 30 08:48:26 samba4-dc2 samba[7006]: task[dnsupdate][7006]: [2019/08/30 08:48:26.873837,  0] ../../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
ago 30 08:48:26 samba4-dc2 samba[7006]: task[dnsupdate][7006]:   /usr/sbin/samba_dnsupdate: GENSEC backend 'fake_gssapi_krb5' registered
ago 30 08:48:40 samba4-dc2 samba[7005]: task[kccsrv][7005]: [2019/08/30 08:48:40.887442,  0] ../../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
ago 30 08:48:40 samba4-dc2 samba[7005]: task[kccsrv][7005]:   /usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb


root at samba4-dc2:~# samba-tool drs showrepl
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:samba4-dc2.empresa.com.br[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name samba4-dc2.empresa.com.br<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name samba4-dc2.empresa.com.br<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name samba4-dc2.empresa.com.br<0x20>
Default-First-Site-Name\SAMBA4-DC2
DSA Options: 0x00000001
DSA object GUID: 45b5b534-9bcc-483c-8f6d-5bbc37dc35e9
DSA invocationId: f621cfd8-7f92-48be-84d9-daa14ef20c05

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ Fri Aug 30 08:48:40 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Aug 30 08:48:40 2019 -03

CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ Fri Aug 30 08:48:40 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Aug 30 08:48:40 2019 -03

DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ Fri Aug 30 08:50:16 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Aug 30 08:50:16 2019 -03

CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ Fri Aug 30 08:48:40 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Aug 30 08:48:40 2019 -03

DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ Fri Aug 30 08:50:36 2019 -03 was successful
0 consecutive failure(s).
Last success @ Fri Aug 30 08:50:36 2019 -03

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=empresa,DC=com,DC=br
Default-First-Site-Name\SAMBA4-DC1 via RPC
DSA object GUID: a1ab021c-0ef7-4fd3-a69d-28afc7c1260a
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
Connection name: 3135cf0d-0109-4a40-be6f-44e1eca5b5d2
Enabled        : TRUE
Server DNS name : samba4-dc1.empresa.com.br
Server DN name  : CN=NTDS Settings,CN=SAMBA4-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!



root at samba4-dc2:~# samba-tool ldapcmp ldap://SAMBA4-DC1 ldap://SAMBA4-DC2 -UAdministrator
resolve_lmhosts: Attempting lmhosts lookup for name SAMBA4-DC1<0x20>
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Password for [EMPRESA\Administrador]:
resolve_lmhosts: Attempting lmhosts lookup for name SAMBA4-DC2<0x20>

* Comparing [DOMAIN] context...

* Objects to be compared: 1869

* Result for [DOMAIN]: SUCCESS

* Comparing [CONFIGURATION] context...

* Objects to be compared: 1640

* Result for [CONFIGURATION]: SUCCESS

* Comparing [SCHEMA] context...

* Objects to be compared: 1518

* Result for [SCHEMA]: SUCCESS

* Comparing [DNSDOMAIN] context...

* Objects to be compared: 565

* Result for [DNSDOMAIN]: SUCCESS

* Comparing [DNSFOREST] context...

* Objects to be compared: 31

* Result for [DNSFOREST]: SUCCESS


Regards,


Márcio Bacci

Em sex, 30 de ago de 2019 às 08:44, L.P.H. van Belle <belle at bazuin.nl> escreveu:

No, thats also correct. 
 
Because in 4.10 new packages are added and removed. 
 
you need to run : apt-get dist-upgrade 
 
Small note, i always run : apt-get dist-upgrade -y 
-dy , download and yes. 
 
then run : apt-get dist-upgrade -y 
 
that makes sure you always have all the needed packages on you server before you upgrade. 
 
Greetz, 
 
Louis
 

Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] 
Verzonden: vrijdag 30 augustus 2019 13:40
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Upgrade Samba 4



Hi, 

Really, version 4.9-12 solved the DBCHECK problem.

Apparently, in version 4.9-12 everything is OK, just not being able to upgrade to version 4.10, as follows:



Reading package lists ... Ready
Building dependency tree
Reading status info ... Ready
10 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists ... Ready
Building dependency tree
Reading status info ... Ready
Calculating update ... Ready
The following packages have been installed automatically and are no longer required:
   libfile-copy-recursive-perl update-inetd
Use 'apt autoremove' to remove them.
The following packages will be kept in their current versions:
   libldb1 libwbclient0 samba samba common samba common bin samba dsdb modules samba libs samba vfs modules winbind
0 updated packages, 0 new packages installed, 0 to be removed and 9 not updated.



I'm using Debian 9.9.


Regards,


Márcio Bacci


Em sex, 30 de ago de 2019 às 06:51, L.P.H. van Belle <belle at bazuin.nl> escreveu:

Hai, 
 
You can safely ignore that mesage. 
 
If both servers are done and running 4.8.  procede to 4.9
 
>> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element' 
is fixed in later samba versions
 
Greetz, 
 
Louis
 
 
 


Van: Marcio Demetrio Bacci [mailto:marciobacci at gmail.com] 
Verzonden: vrijdag 30 augustus 2019 11:39
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Upgrade Samba 4



Hi,

I upgraded to Samba 4.8-12 as follows:

Checking smb.conf with testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Done
Checking smb.conf with samba-tool
Done
Configurando samba-dsdb-modules:amd64 (2:4.8.12-1~deb9) ...
Configurando winbind (2:4.8.12-1~deb9) ...
Instalando nova versão do arquivo de configuração /etc/init.d/winbind ...
Instalando nova versão do arquivo de configuração /etc/logrotate.d/winbind ...
Samba is being run as an AD Domain Controller: Masking winbind.service
Please ignore the following error about deb-systemd-helper not finding those services.
(winbind.service masked)
Removing obsolete conffile /etc/init/winbind.conf ...
Configurando samba (2:4.8.12-1~deb9) ...
Instalando nova versão do arquivo de configuração /etc/init.d/nmbd ...
Instalando nova versão do arquivo de configuração /etc/init.d/samba-ad-dc ...
Instalando nova versão do arquivo de configuração /etc/init.d/smbd ...
Instalando nova versão do arquivo de configuração /etc/logrotate.d/samba ...
Samba is being run as an AD Domain Controller: Masking smbd.service nmbd.service
Please ignore the following error about deb-systemd-helper not finding those services.
(smbd.service masked)
(nmbd.service masked)
Removing obsolete conffile /etc/init.d/samba ...
Removing obsolete conffile /etc/init/nmbd.conf ...
Removing obsolete conffile /etc/init/reload-smbd.conf ...
Removing obsolete conffile /etc/init/samba-ad-dc.conf ...
Removing obsolete conffile /etc/init/smbd.conf ...
A processar 'triggers' para libc-bin (2.24-11+deb9u4) ...
A processar 'triggers' para systemd (232-25+deb9u11) ...

Replication looks OK (samba-tool drs showrepl), but dbcheck does not.

samba-tool dbcheck --cross-ncs
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 177, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py", line 142, in run
    check_expired_tombstones=selftest_check_expired_tombstones)
  File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line 200, in __init__
    self.tombstoneLifetime = int(res[0]["tombstoneLifetime"][0])


Regards,


Márcio Bacci


Em sex, 30 de ago de 2019 às 06:18, L.P.H. van Belle via samba <samba at lists.samba.org> escreveu:

Hai, 

No, keep everything as is. 

Since your upgrading from 4.5 ( and this is probely why your upgrade to 4.7 broke ) 
Make sure you settings are respecting config requirements of 4.8. 

If you do hit an error.
Read : http://downloads.van-belle.nl/samba4/Upgrade-info.txt 
And if needed mail the list, im buzy with some servers atm, but i'll keep an eye on the list. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marcio Demetrio Bacci via samba
> Verzonden: vrijdag 30 augustus 2019 11:13
> Aan: sambalist
> Onderwerp: [Samba] Upgrade Samba 4
> 
> Hi,
> 
> To upgrade my secondary DC Samba 4.5-16 to 4.8 should I 
> remove the smb.conf
> file in /etc/samba first? I remember I tried last month to 
> upgrade from
> 4.5-16 to 4.7 and broke the installation.
> 
> Or are just the procedures below enough?
> 
> Create this file repo file for apt.
> echo "deb http://apt.van-belle.nl/debian stretch-samba48 main contrib
> non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
> 
> Import my key.
> wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc 
> | apt-key add
> -
> 
> apt update -y && apt upgrade -y
> Remove the 4.8 line from the repo, enable 4.9 repeat apt update && apt
> upgrade
> systemctl stop samba-ad-dc && systemctl start samba-ad-dc
> 
> Then I will upgrade to 4.9 and 4.10.
> 
> If all goes well, I'll do it for DC Samba 4 Master.
> 
> Regards,
> 
> Márcio Bacci
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba







More information about the samba mailing list