[Samba] Upgrade AD DS from 4.9.5 -> 4.13.13, cannot resolve usernames on member server

Rowland Penny rpenny at samba.org
Mon Oct 31 13:41:37 UTC 2022 


On 31/10/2022 13:08, Harald Hannelius wrote:
> 
> On Fri, 28 Oct 2022, Rowland Penny via samba wrote:
> 
>> Normally I create a new computer running the latest Debian version and 
>> then install the latest version of Samba possible. I would then join 
>> this as a DC and then, once everything is definitely running okay, 
>> demote one of my old DC's, repeat for every other DC.
> 
> So I installed a Debian 11 computer, and Samba 4.16.6 from 
> bullseye-backports. I joined this to the AD and it looks like everything 
> went OK. 'samba-tool ldapcmp' looks good, as does 'samba-tool drs 
> showrepl'.
> 
> Is there a way for me to actually test this "SAD3" new AD DC by for 
> instance forcing one of my test fileservers to use only this computer as 
> the DS?

It is not easy, AD likes to find the best DC to use, but you could try 
adding 'password server = XXXX' where 'XXXX' the name or IP of the DC 
you want to use.

> 
> If testing of SAD3 looks good, the the next logical step would be to 
> demote SAD2 (as long as it's not primary)

It shouldn't matter (and please stop calling it 'primary'), all DC's are 
equal (or are supposed to be and if they aren't, then you have big 
problems) except for the FSMO roles and they can be on ANY DC, in fact, 
if you had 7 DC's, they could each have an FSMO role, so which would be 
the 'primary' then ?
If it does hold all the FSMO roles, then it very easy to transfer them 
to another DC using samba-tool.

, remove all traces of samba
> from it and upgrade that, install samba from backports and join that. 
> Same for DS1, moving the role first.
> 
>>> Almost all connections come from our other Windows AD domain.
>>
>> Then that needs to be a 'trusted' domain with its own 'idmap config' 
>> block.
> 
> I will get back to this, I promise. Sounds interesting, and I really 
> need to learn more. If there only was more hours per day :/

I have been working on time machine for a long time now, it still 
doesn't work :-D

> 
>>>      logging = syslog
>>>      min domain uid = 500
>>
>> I suggest that you change that '500' to '0', otherwise the 
>> Administrator to root mapping will be ignored.
> 
> But I do like it when we don't have a working Administrator account that 
> has access to all files :)

Not sure I understand that, but you need the Administrator root mapping.

> 
>> If you add a 'trusted' domain, you cannot use 'winbind use default 
>> domain = yes'
> 
> I will get back on this.
> 
> 

Rowland

More information about the samba mailing list