[Samba] Upgrading from Samba 4.8.2 to 4.15.5

[Rowland Penny]

On 28/01/2023 08:57, Mark Foley via samba wrote:
> On Sat Jan 28 02:37:16 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
>> On 28/01/2023 06:44, Mark Foley via samba wrote:
>>> I wrote earlier about setting the domain user password minimum to > 14
>>> characters. It was advised that my first step should be to upgrade from Samba
>>> 4.8.2 to the most recent version available which for my Slackware 15.0 distro is
>>> 4.15.5. This also involved a distro upgrade from Slackware 14.2 to 15.0.
>>>
>>> After upgrading, just for the heck of it, I tried starting Samba without
>>> changing my 4.8.2 configs.  Of course, that didn't work.  My initial error (of
>>> several) in syslog was:
>>>
>>> Jan 28 00:42:52 mail krb5kdc[2725]: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': No such file or directory - while initializing database for realm MYDOM.LOCAL
>>
>> That looks like you also installed a MIT kerberos server as well, a
>> Samba domain usually uses the Heimdal kerberos server it comes with.
> 
> This DC was originally installed back in 2014 and perhaps that was what was
> available then. I certainly didn't have the expertise to choose. Of course, that
> message (above) is from trying to run the new samba 4.15.5, not the old one.

Not being a slackware user, I do not know what was available when you 
first installed Samba as a DC, but back then it was even more 
experimental to use MIT as the kdc than it is now.

A few distros chose not to supply Samba packages that could be 
provisioned as a DC, others supplied packages that had been built with 
MIT, but didn't tell anyone that they should be treated as experimental.

You should be able to find out if your Samba packages were built with 
MIT by running:

smbd -b | grep HAVE_LIBKADM5SRV_MIT

You should get nothing returned if Samba was built using the built in 
Heimdal. If this is the case, you need to check if you have the MIT 
kerberos kdc installed and if so, I suggest you remove it, you can only 
have one kdc.

If you get back 'HAVE_LIBKADM5SRV_MIT', then your Samba packages were 
built with MIT. At this point you will need to decide if you can accept 
using something that is experimental, or find slackware Samba packages 
that are not built using MIT.

> 
> I have routinely upgraded the OS including Samba since.
> 
>>> At that point I decided to read the Wiki: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Introduction
>>>
>>> Under "Only Applicable if Samba was Previously Installed", it is telling me to
>>> deleted all my carefully crafted config files and looks like it's going to lead
>>> me through the steps of re-provisioning.
>>>
>>> Before taking that step I thought I'd ask if I really need to do that? Can I not
>>> just install krb5, etc. and get there step-wise without redoing especially my
>>> /var/lib/samba/private/ named.conf and dns/ files, and re-provisioning?
>>
>> That wiki page is indeed for setting up a new domain, to join another
>> DC, you need this page:
>>
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>>
>> But before you do anything, I would check if you are running a separate
>> kdc and if you are, stop and remove it.
> 
> I'm certainly running some kerberos. My original provisioning gave the message,
> 
> "A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf"

That is the kerberos conf file to use as /etc/krb5.conf

> 
> My notes also say, "This Samba4 utilizes the Heimdal implementation of
> Kerberos", so is it possible I am (or rather 'was') running Heimdal? I also have
> zone files showing "krb5 servers".  And I do have a /var/lib/samba/private/krb5.conf.

It sounds entirely possible that you were using Samba with its builtin 
Heimdal kdc, though I do think that the krb5.conf is supplied if you don't.

> 
>> I do hope you are doing this on a different machine to your existing DC.
>>
>> Rowland
> 
> Well, no -- same machine :) I did a complete backup so I can quickly put the old
> DC back. This office doesn't have the resources to stage a new server, but I'm
> doing this over the weekend so not really interfering with important production.

Well, at least you can revert if required.

> 
> I'm beginning to think I need to actually reprovision. Aside from the
> kerberos question, I initially provisioned with --dns-backend=BIND9_FLATFILE,
> which I believe is now deprecated. The FLATFILE was easy as I only needed minor
> tweaks to a non-DC bind configuration. Probably I can't just install and
> configure bits and pieces (like kerberos) and get this running using mostly
> 4.8.2 configs, right?

Well, it is probably impossible to just change bits and pieces, tweak 
conf files, yes, change a bit here and there, no.

> 
> here's my original provision command:
> 
> /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 \
>    --server-role='dc' --realm=hprs.local --domain=HPRS \
>    --adminpass='password' --dns-backend=BIND9_FLATFILE \
>    --option="interfaces=lo eth1" --option="bind interfaces only=yes"

You built Samba yourself by the look of it and I remember you know, 
aren't you something to do with a police retirement fund ?

> 
> Do you agree, or are there a few things I can do to make things work with 4.15.5?

If you did build Samba yourself and you have now installed Samba from 
Slackware packages, you could now have Samba in two places. This could 
be a good thing, because it is highly likely that your original Samba is 
untouched.

You should be able to upgrade your dns server quite easily with 
'samba_dnsupdate'.

Rowland