[Samba] Upgrading your Samba AD-DC from Stretch to Buster, used samba 4.10.6.
L.P.H. van Belle
belle at bazuin.nl
Mon Jul 29 09:24:22 UTC 2019
Hai guys,
After a few messages on the list on Buster, i decided to upgrade one of my production AD-DC's and see what happens.
If noticed a few things here, so here are the steps and changes i made to upgrade and have a correct working AD-DC after the upgrade.
Setup is as followed: Debian Stretch AD-DC with Bind9 DLZ and ntp time.
This is still the base i used for my AD-DC
https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-2.0-samba-minimal-ad.txt
Upgrade steps.
1) change you sources files.
sed -i 's/stretch/buster/g' /etc/apt/sources.list
# If you use my sources also.
sed -i 's/stretch/buster/g' /etc/apt/sources.list.d/van-belle.list
2) Get updated files.
apt update
apt dist-upgrade -dy
-dy ( download and yes), this only fetches the packages to your server.
3) Install updated files
apt dist-upgrade --autoremove -y
And wait for it all to be upgraded.
4) change BIND9
If you use bind9_dlz, change the bind9 backend version.
# disable bind 9.10
sed -i 's/database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_10/\# database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_10/g' /var/lib/samba/bind-dns/named.conf
# enable bind 9.11
sed -i 's/# database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_11/\database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_11/g' /var/lib/samba/bind-dns/named.conf
And this is my new config for bind9.11 on Buster, few changes are needed.
## Config Begin.
acl thisserverip {
// ip of this AD-DC server.
192.168.1.2;
};
acl all-networks {
# define all you networks here in CIDR format
192.168.1.0/24;
};
options {
directory "/var/cache/bind";
version "Go Away 0.0.7";
dnssec-validation no;
// Disabled forwarders for now,
//In attempt to stop this in the logs: "resolver: info: resolver priming query complete log messages."
// Which worked in the end :-) for the config.
//forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8;
//};
auth-nxdomain yes; // Default is no, but this server IS the autoritive server if you zones.
listen-on-v6 { "none"; }; // i dont use ipv6 on my AD-DC.
listen-on port 53 { "thisserverip"; 127.0.0.1; };
notify no;
// After upgrade from stretch to buster, i've added.
minimal-responses yes; // In attempt to stop this in the logs: "resolver: info: resolver priming query complete log messages."
// see also : https://gitlab.isc.org/isc-projects/bind9/issues/752
empty-zones-enable yes; // enable this if you see : RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" in you logs.
allow-query { "all-networks"; 127.0.0.1/32; };
// added In attempt to stop this in the logs: "resolver: info: resolver priming query complete log messages."
allow-query-cache { "all-networks"; 127.0.0.1/32; };
allow-recursion { "all-networks"; 127.0.0.1/32; };
// NOTE, samba 4.9+ used /var/lib/samba/bind-dns
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};
## Config END.
Above config resulted in a correct working dns again.
5) update the root DNS hints.
dig www.oneinternetsite.com +trace
6) And if you dont changed you systemd startup for samba-ad-dc and bind9 , i suggest do so.
systemctl edit samba-ad-dc
and add:
[Unit]
After=network.target network-online.target bind9.service
systemctl edit bind9
[Service]
ExecReload=
7) reboot.
Check logs and this should result in a correctly running samba-ad-dc again.
And no errors in your loggings.
You might see one, thats might be ntp, give it time to updates/sync time again.
I hope this helps some people.
Greetz,
Louis
More information about the samba
mailing list