[Samba] Upgrading from Samba 4.8.2 to 4.15.5

Rowland Penny rpenny at samba.org
Sun Jan 29 09:30:26 UTC 2023



On 29/01/2023 07:53, Mark Foley via samba wrote:
> On Sat, 28 Jan 2023 12:42:17 -0500 Mark Foley wrote:
> 
> Thanks for that extensive response!
> 
> --Mark
> 
> On Sat Jan 28 05:12:23 2023 Rowland Penny via samba <samba at lists.samba.org> wrote
>>
>> [deleted]
> 
>> You should be able to find out if your Samba packages were built with
>> MIT by running:
>>
>> smbd -b | grep HAVE_LIBKADM5SRV_MIT
>>
>> You should get nothing returned if Samba was built using the built in
>> Heimdal. If this is the case, you need to check if you have the MIT
>> kerberos kdc installed and if so, I suggest you remove it, you can only
>> have one kdc.
>>
>> If you get back 'HAVE_LIBKADM5SRV_MIT', then your Samba packages were
>> built with MIT. At this point you will need to decide if you can accept
>> using something that is experimental, or find slackware Samba packages
>> that are not built using MIT.
> 
> I restored the previous Slackware 14.2 and Samba 4.8.2. I got back nothing from
> that command, so I guess therefore Heimdal.

Yes, Heimdal.

> 
> I ran the same command on a vanilla Slackware 15.0 (updated) and Samba 4.15.13
> system and did get back HAVE_LIBKADM5SRV_MIT, so the latest distro release must
> therefore use MIT as Michael Tokarev wrote.  That could explain some of my
> troubles trying to use the 4.8.2 configs on the in situ upgraded system.


No, they should have worked except for the problem of the distro 
packages installing outside of /usr/local/samba (where a default 
self-compile puts everything Samba). This means that when you tried to 
start Samba, it started a binary in somewhere like /usr/sbin rather than 
the one in somewhere in /usr/local/samba, it will also have started the 
MIT kdc, but would not have had access to the Samba DB in /usr/local/samba.

> 
> [deleted]
> 
>> That wiki page is indeed for setting up a new domain, to join another
>> DC, you need this page:
>>
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> 
> [deleted]
> 
> My current plan is to set up this new, vanilla system as another DC. I assume if
> I do that correctly I could then switch to this up-to-date DC as the primary
> and take down the older 4.8.2 system, yes?

No such thing as a primary, all DC's are equal, it is just some DC's are 
more equal than others because of the FSMO roles.

So, if you mean, can I join another DC, transfer all the FSMO roles to 
this and then demote the existing DC, then yes.

> 
> Will it work with MIT kerberos or should I try to use Heimdal?

Will it work with MIT, then yes, would I use it in production, then NO.
Using MIT on a Samba AD DC is still marked as experimental and, until 
such time that the 'experimental' marker is removed, I cannot recommend 
using a MIT DC in production.

This means that you have three choices:

Use the Slackware packages and hope you do not have problems, not 
recommended, but it is your domain.

Build Samba yourself again on Slackware, this is, in my opinion, your 
only real option if you want to stick with Slackware.

Use another distro, such as Debian Bullseye, where you can get the 
latest Samba from backports.

Rowland

> 
> --Mark
> 



More information about the samba mailing list