[Samba] Upgrade AD DS from 4.9.5 -> 4.13.13, cannot resolve usernames on member server

[Harald Hannelius]

On Fri, 28 Oct 2022, Rowland Penny via samba wrote:

> Normally I create a new computer running the latest Debian version and then 
> install the latest version of Samba possible. I would then join this as a DC 
> and then, once everything is definitely running okay, demote one of my old 
> DC's, repeat for every other DC.

So I installed a Debian 11 computer, and Samba 4.16.6 from 
bullseye-backports. I joined this to the AD and it looks like everything 
went OK. 'samba-tool ldapcmp' looks good, as does 'samba-tool drs showrepl'.

Is there a way for me to actually test this "SAD3" new AD DC by for instance 
forcing one of my test fileservers to use only this computer as the DS?

If testing of SAD3 looks good, the the next logical step would be to demote 
SAD2 (as long as it's not primary), remove all traces of samba from it and 
upgrade that, install samba from backports and join that. Same for DS1, 
moving the primary role first.

>> Almost all connections come from our other Windows AD domain.
>
> Then that needs to be a 'trusted' domain with its own 'idmap config' block.

I will get back to this, I promise. Sounds interesting, and I really need to 
learn more. If there only was more hours per day :/

>>      logging = syslog
>>      min domain uid = 500
>
> I suggest that you change that '500' to '0', otherwise the Administrator to 
> root mapping will be ignored.

But I do like it when we don't have a working Administrator account that has 
access to all files :)

> If you add a 'trusted' domain, you cannot use 'winbind use default domain = 
> yes'

I will get back on this.


-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020