[Samba] Problem joining domain [SEC=UNCLASSIFIED]

Wed Jun 5 07:18:54 UTC 2019

UNCLASSIFIED

I built another PC using Centos7 and samba 4.1.7.

This got further but gave a segmentation fault. On successive runs, I got: Your filesystem or build does not support posix ACLs, which s3f3 requires. (This is BS)

So I tried the next version that I had downloaded 4.3.3. With this I was able to successfully join the domain.

I am thinking to:

1) seize roles with samba 3.3 server
2) shutdown 2003 server
3) join domain with samba 4.10 server
4) transfer roles to samba 4.10 server
5) demote samba 3.3 server (this PC is a loaner)

Is there any benefit in walking up the versions from 3.3 to 4.8.x before seizing the roles?

When you say "walk up the versions", do you mean 4.4, 4.5, 4.6, 4.7, 4.8?

Cheers
Russell

-----Original Message-----
From: Rowland penny [mailto:rpenny at samba.org]
Sent: Friday, 31 May, 2019 5:48 p.m.
To: Andrew Bartlett; Thamm, Russell
Cc: samba at lists.samba.org
Subject: Re: [Samba] Problem joining domain [SEC=CLASSIFIED]

On 31/05/2019 08:23, Andrew Bartlett wrote:
> On Fri, 2019-05-31 at 06:21 +0000, Thamm, Russell via samba wrote:
>> UNCLASSIFIED
>>
>> Hi Andrew and Roland,
>>
>> I originally installed samba-4.1.7 on CentOS 6.5. I successfully joined the domain. I intended to take over from the 2003 server but because the domain was being heavily used, I delayed seizing the roles.
>>
>> Now I really, really want to replace the 2003 server. The network is currently not in use and I want to complete the job while I have an opportunity. If I have no other option, I will create a new domain, but I'd prefer to avoid having to create new user accounts.
> How about trying this:
>
> https://wiki.samba.org/index.php/Create_a_samba_lab-domain
Isn't the OP going to run into a chicken & egg situation here, will it work against a Windows DC ?
>
> If that works, then you may be able to try this:
>
> https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC
>
> an online backup might work against windows, but I suspect you will
> hit:
>
> https://bugzilla.samba.org/show_bug.cgi?id=13917
>
> If you can apply patches (difficult air-gapped I know), try the 
> backported one attached to the bug.
>
> Restoring the backup won't allow the windows server to still operate 
> (they will fight), but might get you a way out.
>
> Anyway, I hope this is of some help.  Otherwise we need to try and 
> work out a bit more about why the windows DC is unhappy with our list 
> of NCs.
>
> Andrew Bartlett

If a Centos 6 Samba AD DC was able to join, then I would try going down that path again, but to save time and not compile Samba, I would use Debian 8 instead. If you get a Samba DC to join, you could then walk up the Samba versions (probably needed unless the bug is fixed) by using Louis's repo. Once you get past 4.8.x, you could then seize all the FSMO roles and turn off the windows DC and remove it from the domain.

Rowland

IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email.