[Samba] Upgrading from Samba 4.8.2 to 4.15.5

Sat Jan 28 08:57:43 UTC 2023

On Sat Jan 28 02:37:16 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:

> On 28/01/2023 06:44, Mark Foley via samba wrote:
> > I wrote earlier about setting the domain user password minimum to > 14
> > characters. It was advised that my first step should be to upgrade from Samba
> > 4.8.2 to the most recent version available which for my Slackware 15.0 distro is
> > 4.15.5. This also involved a distro upgrade from Slackware 14.2 to 15.0.
> > 
> > After upgrading, just for the heck of it, I tried starting Samba without
> > changing my 4.8.2 configs.  Of course, that didn't work.  My initial error (of
> > several) in syslog was:
> > 
> > Jan 28 00:42:52 mail krb5kdc[2725]: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': No such file or directory - while initializing database for realm MYDOM.LOCAL
>
> That looks like you also installed a MIT kerberos server as well, a 
> Samba domain usually uses the Heimdal kerberos server it comes with.

This DC was originally installed back in 2014 and perhaps that was what was
available then. I certainly didn't have the expertise to choose. Of course, that
message (above) is from trying to run the new samba 4.15.5, not the old one.

I have routinely upgraded the OS including Samba since.

> > At that point I decided to read the Wiki: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Introduction
> > 
> > Under "Only Applicable if Samba was Previously Installed", it is telling me to
> > deleted all my carefully crafted config files and looks like it's going to lead
> > me through the steps of re-provisioning.
> > 
> > Before taking that step I thought I'd ask if I really need to do that? Can I not
> > just install krb5, etc. and get there step-wise without redoing especially my
> > /var/lib/samba/private/ named.conf and dns/ files, and re-provisioning?
>
> That wiki page is indeed for setting up a new domain, to join another 
> DC, you need this page:
>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> But before you do anything, I would check if you are running a separate 
> kdc and if you are, stop and remove it.

I'm certainly running some kerberos. My original provisioning gave the message,

"A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf"

My notes also say, "This Samba4 utilizes the Heimdal implementation of
Kerberos", so is it possible I am (or rather 'was') running Heimdal? I also have
zone files showing "krb5 servers".  And I do have a /var/lib/samba/private/krb5.conf. 

> I do hope you are doing this on a different machine to your existing DC.
>
> Rowland

Well, no -- same machine :) I did a complete backup so I can quickly put the old
DC back. This office doesn't have the resources to stage a new server, but I'm
doing this over the weekend so not really interfering with important production.

I'm beginning to think I need to actually reprovision. Aside from the 
kerberos question, I initially provisioned with --dns-backend=BIND9_FLATFILE,
which I believe is now deprecated. The FLATFILE was easy as I only needed minor
tweaks to a non-DC bind configuration. Probably I can't just install and
configure bits and pieces (like kerberos) and get this running using mostly
4.8.2 configs, right?

here's my original provision command:

/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 \
  --server-role='dc' --realm=hprs.local --domain=HPRS \
  --adminpass='password' --dns-backend=BIND9_FLATFILE \
  --option="interfaces=lo eth1" --option="bind interfaces only=yes"

Do you agree, or are there a few things I can do to make things work with 4.15.5?

Thanks --Mark