[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).
Juan Ignacio
juan.ignacio.pazos at gmail.com
Mon Nov 21 16:03:33 UTC 2022
Seems it looks good..
After Provision...
> root at dc2:/home/jpazos# samba-tool domain join mydomain.org DC -U
> mydomain/Administrator
> INFO 2022-11-21 12:47:57,024 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #105: Finding a writeable DC
> for domain 'mydomain.org'
> INFO 2022-11-21 12:47:57,035 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #107: Found DC
> dc1.mydomain.org
> Password for [mydomain\Administrator]:
> INFO 2022-11-21 12:48:03,052 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1527: workgroup is mydomain
> INFO 2022-11-21 12:48:03,053 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1530: realm is mydomain.org
> Adding CN=dc2,OU=Domain Controllers,DC=mydomain,DC=org
> Adding
> CN=dc2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=org
> Adding CN=NTDS
> Settings,CN=dc2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=org
> Adding SPNs to CN=dc2,OU=Domain Controllers,DC=mydomain,DC=org
> Setting account password for dc2$
> Enabling account
> Calling bare provision
> INFO 2022-11-21 12:48:14,865 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2108: Looking
> up IPv4 addresses
> INFO 2022-11-21 12:48:14,866 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2125: Looking
> up IPv6 addresses
> WARNING 2022-11-21 12:48:14,867 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2130: More than
> one IPv6 address found. Using fd04:4fce:8c37:0:2036:fcff:fe31:d932
> INFO 2022-11-21 12:48:15,065 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2274: Setting
> up share.ldb
> INFO 2022-11-21 12:48:15,100 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2278: Setting
> up secrets.ldb
> INFO 2022-11-21 12:48:15,128 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2283: Setting
> up the registry
> INFO 2022-11-21 12:48:15,227 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2286: Setting
> up the privileges database
> INFO 2022-11-21 12:48:15,280 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2289: Setting
> up idmap db
> INFO 2022-11-21 12:48:15,316 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2296: Setting
> up SAM db
> INFO 2022-11-21 12:48:15,326 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #880: Setting up
> sam.ldb partitions and settings
> INFO 2022-11-21 12:48:15,327 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #892: Setting up
> sam.ldb rootDSE
> INFO 2022-11-21 12:48:15,335 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #1305:
> Pre-loading the Samba 4 and AD schema
> Unable to determine the DomainSID, can not enforce uniqueness constraint
> on local domainSIDs
>
> INFO 2022-11-21 12:48:15,373 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2348: A
> Kerberos configuration suitable for Samba AD has been generated at
> /var/lib/samba/private/krb5.conf
> INFO 2022-11-21 12:48:15,373 pid:547
> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2350: Merge the
> contents of this file with your system krb5.conf or replace it with this
> one. Do not create a symlink!
> Provision OK for domain DN DC=mydomain,DC=org
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=org] objects[402/1550]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=org] objects[804/1550]
> linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=org]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=org]
> objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=mydomain,DC=org] objects[402/1615]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=org] objects[804/1615]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=org] objects[1206/1615]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=org] objects[1608/1615]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=org] objects[1615/1615]
> linked_values[30/0]
> Replicating critical objects from the base DN of the domain
> Partition[DC=mydomain,DC=org] objects[98/98] linked_values[39/0]
> Partition[DC=mydomain,DC=org] objects[402/2697] linked_values[0/0]
> Partition[DC=mydomain,DC=org] objects[804/2697] linked_values[0/0]
> Partition[DC=mydomain,DC=org] objects[1206/2697] linked_values[0/0]
> Partition[DC=mydomain,DC=org] objects[1608/2697] linked_values[0/0]
> Partition[DC=mydomain,DC=org] objects[2010/2697] linked_values[0/0]
> Partition[DC=mydomain,DC=org] objects[2412/2697] linked_values[0/0]
> Partition[DC=mydomain,DC=org] objects[2694/2697] linked_values[1062/0]
> ../../lib/ldb/ldb_key_value/ldb_kv_index.c:2955: duplicate attribute value
> in CN=K10,OU=Sala Informatica K,OU=Salas Informatica,OU=Equipos
> mydomain,DC=mydomain,DC=org for index on servicePrincipalName, duplicate of
> objectGUID 7008131e-6e91-4c8c-9a9e-2c9de8727dc6 in
> @INDEX:SERVICEPRINCIPALNAME:TERMSRV/K10.mydomain.org
> Failed to commit objects: DOS code 0x000021bf
> Missing target object - retrying with DRS_GET_TGT
> Partition[DC=mydomain,DC=org] objects[3096/2697] linked_values[1062/0]
> Partition[DC=mydomain,DC=org] objects[3498/2697] linked_values[1062/0]
> Partition[DC=mydomain,DC=org] objects[3900/2697] linked_values[1062/0]
> Partition[DC=mydomain,DC=org] objects[4302/2697] linked_values[1062/0]
> Partition[DC=mydomain,DC=org] objects[4704/2697] linked_values[1062/0]
> Partition[DC=mydomain,DC=org] objects[5106/2697] linked_values[1062/0]
> Partition[DC=mydomain,DC=org] objects[5388/2697] linked_values[2124/0]
> Done with always replicated NC (base, config, schema)
> Replicating DC=DomainDnsZones,DC=mydomain,DC=org
> Partition[DC=DomainDnsZones,DC=mydomain,DC=org] objects[402/84606]
> linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=mydomain,DC=org] objects[804/84606]
> linked_values[0/0]
> ......
> Replicating DC=ForestDnsZones,DC=mydomain,DC=org
> Partition[DC=ForestDnsZones,DC=mydomain,DC=org] objects[18/18]
> linked_values[0/0]
> Exop on[CN=RID Manager$,CN=System,DC=mydomain,DC=org] objects[3]
> linked_values[0]
> Committing SAM database
> Repacking database from v1 to v2 format (first record
> CN=Employee-ID,CN=Schema,CN=Configuration,DC=mydomain,DC=org)
> Repack: re-packed 10000 records so far
> Repacking database from v1 to v2 format (first record
> CN=volume-Display,CN=411,CN=DisplaySpecifiers,CN=Configuration,DC=mydomain,DC=org)
> Repacking database from v1 to v2 format (first record
> DC=K4\0ADEL:8556e2db-ca93-4b49-a5b4-c391a74fb67d,CN=Deleted
> Objects,DC=DomainDnsZones,DC=mydomain,DC=org)
> Repack: re-packed 10000 records so far......
>
> Repacking database from v1 to v2 format (first record
> CN=LostAndFound,DC=ForestDnsZones,DC=mydomain,DC=org)
> Repacking database from v1 to v2 format (first record
> CN=*****o,OU=********,OU=******,OU=******* mydomain,DC=mydomain,DC=org)
> Repack: re-packed 10000 records so far
> Repack: re-packed 20000 records so far
> INFO 2022-11-21 12:52:32,052 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1100: Adding 4 remote DNS
> records for dc2.mydomain.org
> INFO 2022-11-21 12:52:32,120 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1159: Adding DNS AAAA record
> dc2.mydomain.org for IPv6 IP: fd04:4fce:8c37:0:2036:fcff:fe31:d932
> INFO 2022-11-21 12:52:34,829 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1159: Adding DNS AAAA record
> dc2.mydomain.org for IPv6 IP: fd28:921f:3a07:0:2036:fcff:fe31:d932
> INFO 2022-11-21 12:52:36,655 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1159: Adding DNS AAAA record
> dc2.mydomain.org for IPv6 IP: fdb4:6605:c6ee:0:2036:fcff:fe31:d932
> INFO 2022-11-21 12:52:38,130 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1163: Adding DNS A record
> dc2.mydomain.org for IPv4 IP: 10.20.1.3
> INFO 2022-11-21 12:52:40,397 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1191: Adding DNS CNAME record
> 000c85cc-7018-463c-a072-5d5bb53c8ac5._msdcs.mydomain.org for
> dc2.mydomain.org
> INFO 2022-11-21 12:52:42,385 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1216: All other DNS records
> (like _ldap SRV records) will be created samba_dnsupdate on first startup
> INFO 2022-11-21 12:52:42,386 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1222: Replicating new DNS
> records in DC=DomainDnsZones,DC=mydomain,DC=org
> Partition[DC=DomainDnsZones,DC=mydomain,DC=org] objects[10/10]
> linked_values[0/0]
> INFO 2022-11-21 12:52:44,851 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1222: Replicating new DNS
> records in DC=ForestDnsZones,DC=mydomain,DC=org
> Partition[DC=ForestDnsZones,DC=mydomain,DC=org] objects[2/2]
> linked_values[0/0]
> INFO 2022-11-21 12:52:44,881 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1237: Sending
> DsReplicaUpdateRefs for all the replicated partitions
> INFO 2022-11-21 12:52:46,748 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1267: Setting isSynchronized
> and dsServiceName
> INFO 2022-11-21 12:52:46,763 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1282: Setting up secrets
> database
> INFO 2022-11-21 12:52:46,821 pid:547
> /usr/lib/python3/dist-packages/samba/join.py #1544: Joined domain mydomain
> (SID S-1-5-21-4052400635-4289026898-4090354900) as a DC
>
Ok guys, seems like the provision worked, what i need to do next, checked
the samba-ac-dc process and that are the results:
root at kronos:/home/jpazos# systemctl status samba-ad-dc.service
> ● samba-ad-dc.service - Samba AD Daemon
> Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; disabled;
> vendor preset: enabled)
> Active: active (running) since Mon 2022-11-21 13:00:37 -03; 1s ago
> Docs: man:samba(8)
> man:samba(7)
> man:smb.conf(5)
> Main PID: 563 (samba)
> Status: "samba: ready to serve connections..."
> Tasks: 53 (limit: 4858)
> Memory: 206.8M
> CPU: 1.951s
> CGroup: /system.slice/samba-ad-dc.service
> ├─563 samba: root process
> ├─564 samba: tfork waiter process(565)
> ├─565 samba: task[s3fs] pre-fork master
> ├─566 samba: tfork waiter process(567)
> ├─567 samba: task[rpc] pre-fork master
> ├─568 samba: tfork waiter process(570)
> ├─569 samba: tfork waiter process(572)
> ├─570 samba: task[nbt] pre-fork master
> ├─571 samba: tfork waiter process(573)
> ├─572 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ├─573 samba: task[wrepl] pre-fork master
> ├─574 samba: tfork waiter process(575)
> ├─575 samba: task[ldap] pre-fork master
> ├─576 samba: tfork waiter process(578)
> ├─577 samba: tfork waiter process(580)
> ├─578 samba: task[cldap] pre-fork master
> ├─579 samba: tfork waiter process(581)
> ├─580 samba: task[rpc] pre-forked worker(0)
> ├─581 samba: task[kdc] pre-fork master
> ├─582 samba: tfork waiter process(584)
> ├─583 samba: tfork waiter process(586)
> ├─584 samba: task[drepl] pre-fork master
> ├─585 samba: tfork waiter process(587)
> ├─586 samba: task[rpc] pre-forked worker(1)
> ├─587 samba: task[winbindd] pre-fork master
> ├─588 samba: tfork waiter process(592)
> ├─589 samba: tfork waiter process(596)
> ├─590 samba: tfork waiter process(591)
> ├─591 samba: task[rpc] pre-forked worker(2)
> ├─592 samba: task[ntp_signd] pre-fork master
> ├─593 samba: tfork waiter process(598)
> ├─594 samba: tfork waiter process(601)
> ├─595 samba: tfork waiter process(600)
> ├─596 samba: task[kdc] pre-forked worker(0)
> ├─597 samba: tfork waiter process(604)
> ├─598 samba: task[kcc] pre-fork master
> ├─599 samba: tfork waiter process(602)
> ├─600 samba: task[rpc] pre-forked worker(3)
> ├─601 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> ├─602 samba: task[dnsupdate] pre-fork master
> ├─603 samba: tfork waiter process(606)
> ├─604 samba: task[kdc] pre-forked worker(1)
> ├─605 samba: tfork waiter process(607)
> ├─606 samba: task[dns] pre-fork master
> ├─607 samba: task[kdc] pre-forked worker(2)
> ├─608 samba: tfork waiter process(609)
> ├─609 samba: task[kdc] pre-forked worker(3)
> ├─610 samba: tfork waiter process(611)
> ├─611 /usr/bin/python3 /usr/sbin/samba_dnsupdate
> ├─617 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ├─618 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> ├─619 winbindd: domain child [MYDOMAIN]
> └─620 winbindd: idmap child
>
> nov 21 13:00:37 kronos samba[575]: Attempting to autogenerate TLS
> self-signed keys for https for hostname 'DC2.kennedy.edu'
> nov 21 13:00:37 kronos systemd[1]: Started Samba AD Daemon.
> nov 21 13:00:37 kronos smbd[572]: [2022/11/21 13:00:37.340701, 0]
> ../../source3/smbd/server.c:1741(main)
> nov 21 13:00:37 kronos smbd[572]: smbd version 4.16.6-Debian started.
> nov 21 13:00:37 kronos smbd[572]: Copyright Andrew Tridgell and the
> Samba Team 1992-2022
> nov 21 13:00:37 kronos winbindd[601]: [2022/11/21 13:00:37.415798, 0]
> ../../source3/winbindd/winbindd.c:1723(main)
> nov 21 13:00:37 kronos winbindd[601]: winbindd version 4.16.6-Debian
> started.
> nov 21 13:00:37 kronos winbindd[601]: Copyright Andrew Tridgell and the
> Samba Team 1992-2022
> nov 21 13:00:38 kronos winbindd[601]: [2022/11/21 13:00:38.050798, 0]
> ../../source3/winbindd/winbindd_cache.c:3085(initialize_winbindd_cache)
> nov 21 13:00:38 kronos winbindd[601]: initialize_winbindd_cache:
> clearing cache and re-creating with version number 2
>
Waiting for your reply.
Thanks.
El lun, 21 nov 2022 a las 12:28, Juan Ignacio (<juan.ignacio.pazos at gmail.com>)
escribió:
> Let me know if i can proceed.
>
> Or if i need to check any services or something else running on the New
> Server before.
>
> Thx.
>
> El lun, 21 nov 2022 11:16, Juan Ignacio <juan.ignacio.pazos at gmail.com>
> escribió:
>
>> Ok is almost ready i think...., sharing the new server setup files and
>> checking if everything looks good to join the domain.
>>
>> NewServer Setup Configs
>>>
>>> "/etc/network/interfaces"
>>>
>>> # The primary network interface
>>> allow-hotplug ens18
>>> iface ens18 inet static
>>> address 10.20.1.3
>>> netmask 255.255.0.0
>>> gateway 10.20.0.90
>>> dns-nameservers 10.20.1.6 200.40.220.245
>>>
>>> Added as nameserver oldServerIPaddress
>>>
>>> ------------------------------------------------------
>>>
>>> "/etc/resolv.conf"
>>>
>>> nameserver 10.20.1.6 ----------> Old Server DC IP
>>> nameserver 200.40.220.245
>>> nameserver 200.40.30.245
>>> search ourdomain.org -----------> Domain
>>>
>>> -------------------------------------------------------
>>> "/etc/hostname"
>>> dc2 -------> new dc hostname
>>>
>>> --------------------------------------------------------
>>>
>>> "/etc/hosts"
>>> 127.0.0.1 localhost
>>> 127.0.1.1 dc2.ourdomain.org dc2 -----> NewDC
>>> 10.20.1.6 dc1.ourdomain.org dc1 -----> Production DC
>>> # The following lines are desirable for IPv6 capable hosts
>>> ::1 localhost ip6-localhost ip6-loopback
>>> ff02::1 ip6-allnodes
>>> ff02::2 ip6-allrouters
>>>
>>> -----------------------------------------------------------
>>>
>>
>> If everything looks good i'm ready to join the domain.
>>
>>
>>
>> El lun, 21 nov 2022 a las 9:11, Rowland Penny via samba (<
>> samba at lists.samba.org>) escribió:
>>
>>>
>>>
>>> On 21/11/2022 11:38, Juan Ignacio wrote:
>>> > I have read both emails carefully and I have some doubts. If I
>>> remember
>>> > correctly, changing the ip of an ad-dc samba caused problems for
>>> clients
>>> > to connect.
>>>
>>> It shouldn't, if it does, your dns is not setup corectly.
>>>
>>> > Can the new server that will replace the old one have a different IP
>>> > from the one in production?
>>>
>>> Yes
>>>
>>> > I need to join the new one to the old one
>>> > that is in production to be able to do an upgrade?,
>>>
>>> Yes
>>>
>>> did I understand
>>> > correctly? How we transform the new one on a samba-ad-dc if it joins
>>> as
>>> > a DC.
>>>
>>> Not sure I understand that, a 'samba-ad-dc' is a DC, or are you
>>> referring to the systemd service that starts a Samba AD DC ?
>>>
>>> If this is correct, which ip and hostname is recommended to be
>>> > placed on this new server, any different from the old server?
>>>
>>> It doesn't matter what IP and short hostname you use on your new DC,
>>> just so long as the IP is in the same subnet e.g, If your existing DC
>>> has the ipaddress 192.168.1.2 , you could use 192.168.1.3 for your new
>>> DC.
>>>
>>> >
>>> > /"About the resolv.conf file...
>>> > Ensure that the /etc/resolv.conf has only these lines
>>> > search your.dns.domain
>>> > nameserver YOUR.EXISTING.DC.IPADDRESS"/*(The new one or the old one.)?*
>>>
>>> Both, the existing DC should be like that now and your proposed new DC
>>> should be the same to ensure that it can find the existing DC to join
>>> the domain as a DC. Once the join has occurred, you need to change the
>>> new DC's /etc/resolv.conf to use its own ipaddress as its nameserver
>>> before you start Samba.
>>>
>>> /
>>> > etc/hosts has 127.0.0.1 pointing to localhost and there is a line like
>>> > this (replace with your information):
>>> > the.computers.ipaddress the_computers_fqdn
>>> the_computers_short_hostname/
>>> > (*old server or different information*)
>>>
>>> Lets say that your existing DC uses the ipaddress '192.168.1.2' , the
>>> short hostname 'dc1' and the dns domain 'samdom.example.com'
>>>
>>> This would mean (ignoring the IPv6 lines, you can leave them as is),
>>> your existing DC should have these lines:
>>>
>>> 127.0.0.1 localhost
>>> 192.168.1.2 dc1.samdom.example.com dc1
>>>
>>> Your new DC 'dc2' with ipaddress '192.168.1.3' , would be:
>>>
>>> 127.0.0.1 localhost
>>> 192.168.1.3 dc2.samdom.example.com dc2
>>>
>>>
>>> >
>>> > /etc/hostname should only contain the computers short hostname/.*(i
>>> only
>>> > have the computer short name of the server itself i think is correct.)
>>> > *
>>> >
>>> > When you say computers, that confuses me a bit because I think that
>>> more
>>> > than one is plural Excuse so many doubts, but between the language and
>>> > having done it so long ago I'm a little rusty.
>>>
>>> You can have more than one AD DC in an AD domain, in fact, multiple DC's
>>> are better, they all hold the same data, apart from the FSMO roles and
>>> they can be on any DC.
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
More information about the samba
mailing list