[Samba] Upgrading Samba

Wed Feb 6 13:18:05 UTC 2019

Thank you Rowland for your answer . 
I reply inline.

> 
> On Wed, 6 Feb 2019 15:20:56 +0400
> henri transfert via samba <samba at lists.samba.org> wrote:
> 
> > Hello all,
> >
> > I've planned to upgrade a Samba DC from 4.6.7 to 4.9.4 .
> 
> STOP!
> 
> Do not do this directly, reports on here have shown that this will not work.
> 
> You will have to 'walk' up the versions, it may work if you go to 4.8.3, then to
> 4.9.4, but you may have to go to 4.7.2 first.

Ok thanks for the warning . What will not work exactly ? 

So , what is the recommended path to upgrade ? 
1) from 4.6.7 to 4.7.2 
2) then 4.7.2 to 4.8.3 
3) then 4.8.3 to 4.9.4  ?

Is there a doc on the wiki about this  ? 

> 
> 
> > For that I will use the following method :
> >
> >    - build a new DC from 4.9.4 sources (on CentOS 7)
> 
> Make sure you use Heimdal kerberos. not the Centos default MIT.
I assume Heimdal Kerberos is the one used in 4.6.7 . 
So I guess I will have to enforced Heimdal at compilation time (--with-system-heimdalkrb5 ?) . 

> 
> >    - join this new DC to the domain
> >    - transfer the FSMO roles from the old DC (4.6.7) to the new DC
> > (4.9.4)
> >    - replicate the sysvoldir from old DC to new DC
> >    - demote the old DC
> >    - switch off the old DC
> >
> > Since I prefer to ask before facing any problems, is there any issue I
> > should take care about ? Especially from 4.6 to 4.9 release , is there
> > any big changes or incompatibility that could be a potential source of
> > troubles (Kerberos ? default values ?) ?
> > Would 4.8.8 a better seamless option ?
> >
> > The smb.conf of the old DC is :
> > # Global parameters
> > [global]
> >         netbios name = OLD-DC
> >         realm = MYDOM.MYCOMP.COM
> >         workgroup = MYDOM
> >         dns forwarder = 1.2.3.4
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >         ldap server require strong auth = no
> >         ntlm auth = yes
> >         raw NTLMv2 auth = yes
> 
> Why are you still using the very insecure NTLMv1 ?
An old requirement due to old XP clients. I guess I could remove it.

> 
> >
> > [netlogon]
> >         path = /var/lib/samba/sysvol2/mydom.mycomp.com/scripts
> >         read only = No
> >         browseable = no
> >
> > [sysvol]
> >         path = /var/lib/samba/sysvol2
> >         read only = No
> >         browseable = no
> 
> Does anybody know where setting 'browseable = no' on 'netlogon' & 'sysvol'
> came from ?
> totally redundant, there is no netbios browsing on a Samba AD DC, it isn't in
> 'nbt'.
If I remove "browsable=no" , I can see shares netlogon and sysvol if I go to \\MY-SAMBA-DC . 
I want them to be hidden. Something wrong here ? 

Thanks. 

Henri

> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba