[Samba] Upgrading your Samba AD-DC from Stretch to Buster, used samba 4.10.6.

L.P.H. van Belle belle at bazuin.nl
Mon Jul 29 09:24:22 UTC 2019

Hai guys, 
After a few messages on the list on Buster, i decided to upgrade one of my production AD-DC's and see what happens. 
If noticed a few things here, so here are the steps and changes i made to upgrade and have a correct working AD-DC after the upgrade. 
Setup is as followed:  Debian Stretch AD-DC with Bind9 DLZ and ntp time. 
This is still the base i used for my AD-DC 

Upgrade steps. 
1) change you sources files. 
sed -i 's/stretch/buster/g' /etc/apt/sources.list
# If you use my sources also. 
sed -i 's/stretch/buster/g' /etc/apt/sources.list.d/van-belle.list

2) Get updated files. 
apt  update
apt dist-upgrade -dy
    -dy ( download and yes), this only fetches the packages to your server. 
3) Install updated files
apt dist-upgrade --autoremove -y
And wait for it all to be upgraded. 
4) change BIND9 
If you use bind9_dlz, change the bind9 backend version.
# disable bind 9.10 
sed -i 's/database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_10/\# database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_10/g' /var/lib/samba/bind-dns/named.conf

# enable bind 9.11
sed -i 's/# database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_11/\database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_11/g' /var/lib/samba/bind-dns/named.conf

And this is my new config for bind9.11 on Buster, few changes are needed. 

## Config Begin. 
acl thisserverip {
        // ip of this AD-DC server.;
acl all-networks {
        # define all you networks here in CIDR format;
options {
        directory "/var/cache/bind";
        version "Go Away 0.0.7";
        dnssec-validation no;
	  // Disabled forwarders for now, 
	  //In attempt to stop this in the logs: "resolver: info: resolver priming query complete log messages." 
	  // Which worked in the end :-) for the config. 
        //forwarders {;;;

        auth-nxdomain yes;    // Default is no, but this server IS the autoritive server if you zones. 
        listen-on-v6 { "none"; };    // i dont use ipv6 on my AD-DC. 
        listen-on port 53 { "thisserverip";; };
        notify no;
        // After upgrade from stretch to buster, i've added. 
        minimal-responses yes;	// In attempt to stop this in the logs: "resolver: info: resolver priming query complete log messages."
	  // see also : https://gitlab.isc.org/isc-projects/bind9/issues/752 
        empty-zones-enable yes;    // enable this if you see : RFC 1918 response from Internet for" in you logs.
        allow-query { "all-networks";; };
	  // added In attempt to stop this in the logs: "resolver: info: resolver priming query complete log messages."
        allow-query-cache { "all-networks";; };
        allow-recursion {  "all-networks";; };
	  // NOTE, samba 4.9+ used /var/lib/samba/bind-dns
        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
include "/etc/bind/rndc.key";
    controls {
     inet allow { localhost; } keys { rndc-key;};

## Config END. 
Above config resulted in a correct working dns again. 

5) update the root DNS hints. 
dig www.oneinternetsite.com +trace

6) And if you dont changed you systemd startup for samba-ad-dc and bind9 , i suggest do so. 

systemctl edit samba-ad-dc   
and add: 
After=network.target network-online.target bind9.service

systemctl edit bind9

7) reboot. 
Check logs and this should result in a correctly running samba-ad-dc again. 
And no errors in your loggings. 

You might see one, thats might be ntp, give it time to updates/sync time again. 

I hope this helps some people. 



More information about the samba mailing list