[Samba] Join new DC to domain - advice to upgrade Samba 4.

L.P.H. van Belle belle at bazuin.nl
Tue Apr 7 14:25:48 UTC 2020

What i find the safes path in upgrading. 
This is how i upgrade my wheezy servers (samba 4.1.x),
All the way up to now buster samba 4.11 and starting to roll out 4.12.1 (members only at the moment)

So yes, first fix the problems, go through all logs and make sure you dont have any errors. 
Reboot the server. Check again, and repeat untill you server is error free. 
Remove (if needed) old packages. dpkg -l |grep -e "jessie|wheezy|deb[6-8]"
Do check these before you remove any, if these are replaced with a stretch version. 

Samba, your now on 4.5.16. (debian stretch official). 
So before you upgrade, check if you smb.conf is compliant with the next samba version(s). 

For example these changes. 
4.5.x =>  4.6.0 : smb.conf changes 
  Parameter Name                Description             Default
  --------------                -----------             -------
  kerberos encryption types     New                     all
  inherit owner                 New option
  fruit:resource                Spelling correction
  lsa over netlogon             New (deprecated)        no
  rpc server port               New                     0

4.6.x => 4.7.0 : smb.conf changes
  Parameter Name                     Description             Default
  --------------                     -----------             -------
  allow unsafe cluster upgrade       New parameter           no
  auth event notification            New parameter           no
  auth methods                       Deprecated
  client max protocol                Effective               SMB3_11
                                     default changed
  map untrusted to domain            New value/              auto
                                     Default changed/
  mit kdc command                    New parameter
  profile acls                       Deprecated
  rpc server dynamic port range      New parameter           49152-65535
  strict sync                        Default changed         yes
  password hash userPassword schemes New parameter
  ntlm auth                          New values              ntlmv2-only

4.7.x => 4.8.0 : smb.conf changes
smb.conf changes
  Parameter Name                     Description             Default
  --------------                     -----------             -------
  apply group policies               New                     no
  auth methods                       Removed
  binddns dir                        New
  client schannel                    Default changed/        yes
  gpo update command                 New
  ldap ssl ads                       Deprecated
  map untrusted to domain            Removed
  oplock contention limit            Removed
  prefork children                   New                     1
  mdns name                          New                     netbios
  fruit:time machine                 New                     false
  profile acls                       Removed
  use spnego                         Removed
  server schannel                    Default changed/        yes
  unicode                            Deprecated
  winbind scan trusted domains       New                     yes
  winbind trusted domains only       Removed
! DO READ THE 4.8.x changelogs complete, on the samba site its needed!

4.8.x => 4.9.0 : smb.conf changes
As the most popular Samba install platforms (Linux and FreeBSD) both
support extended attributes by default, the parameters "map readonly",
"store dos attributes" and "ea support" have had their defaults changed
to allow better Windows fileserver compatibility in a default install.

  Parameter Name                     Description             Default
  --------------                     -----------             -------
  map readonly                       Default changed              no
  store dos attributes               Default changed             yes
  ea support                         Default changed             yes
  full_audit:success                 Default changed            none
  full_audit:failure                 Default changed            none

When your sure samba is ready for the next version, now, enable my repo,

wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list

# Samba 4.6.latest 
echo "deb http://apt.van-belle.nl/debian stretch-samba46 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list

With every samba upgrade use : apt-get update && apt-get dist-upgrade --autoremove --purge 

Repeat for 4.7   stretch-samba47
Repeat for 4.8   stretch-samba48 

Now stop.. 

Now upgrade stretch to buster. 
Change the content in /etc/apt/sources.list file to buster 
apt-get update 
apt-get dist-upgrade -dy #download only , always do this if your upgrading because if internet drops your in problems.
apt-get dist-upgrade --autoremove --purge 

And your automaticly back on the Debian Official 4.9.5. 

Which is outdated also, where i advice to upgrade to 4.10 at least better 4.11 but thats totaly up to you. 
Good luck, problems, mail the list..  




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 7 april 2020 16:08
> Aan: sambalist
> Onderwerp: Re: [Samba] Join new DC to domain - advice to 
> upgrade Samba 4.
> On 07/04/2020 14:51, Daniel Lopes de Carvalho wrote:
> > Hi Rowland, thanks for your email.
> >
> > The working DC was installed around 2 years ago. It is the 
> reason to 
> > stick in Stretch. But if I can upgrade the working DC to Buster and 
> > Samba 4.9.5 without any problem, it is OK to me.
> I would upgrade Debian and once you get everything working correctly, 
> you can use Louis's repo:  http://apt.van-belle.nl/
> >
> >
> > Find below the output of samba-tool join command:
> >
> >  samba-tool domain join test.example.domain.br 
> > <http://test.example.domain.br> DC -U"test/administrator" -d3
> >
> > Finding a writeable DC for domain 'test.example.domain.br 
> > <http://test.example.domain.br>'
> > resolve_lmhosts: Attempting lmhosts lookup for name 
> > _ldap._tcp.test.example.domain.br 
> <http://tcp.test.example.domain.br><0x0>
> > Found DC adc02.test.example.domain.br 
> > <http://adc02.test.example.domain.br>
> > resolve_lmhosts: Attempting lmhosts lookup for name 
> > adc02.test.example.domain.br 
> <http://adc02.test.example.domain.br><0x20>
> > Password for [test\administrator]:
> > Cannot reach a KDC we require to contact 
> > ldap/adc02.test.example.domain.br@ : kinit for administrator at test 
> > failed (Cannot contact any KDC for requested realm)
> That looks like your problem, for some reason 
> 'adc02.example.domain.br' 
> cannot be found.
> Can you run the attached script on the machine you are trying 
> to join as 
> a DC and then post the output in a reply to the mailing list, do not 
> attach it, this mailing list strips attachments.
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list