[Samba] migrate DC from very old version of samba
Jennifer Sutton
jsutton at samba.org
Thu Apr 3 23:52:44 UTC 2025
On 4/04/25 7:12 am, Rémi via samba wrote:
> Rowland Penny via samba <samba at lists.samba.org> writes:
>
>>>> This may work, but you may have to it two stages, add a machine
>>>> running Debian buster, then bookworm.
>>>
>>> any specific reason ?
>>>
>>
>> From memory, there were problems upgrading/joining such old versions of
>> Samba, these were addressed around Samba 4.8.0 . there have also been
>> major changes since 4.8.0 , so doing it in two stages might be the best
>> idea, of course making a major jump to the latest version might work,
>> but I would test it first.
>
> For the record, I backed up the complete old server, and tried the join
> at night to minimize my risks, and it worked :-)
>
> I just encountered one error:
> ERROR(runtime): uncaught exception - (9003, 'WERR_DNS_ERROR_RCODE_NAME_ERROR')
>
> But it's documented here:
> https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting#Issues_with_DNS_during_DC_join
>
> So I wiped samba's db files on the new server, and restarted the join
> while following the instructions on the wiki, and all went well.
>
> I also made the new server the dns server for that network, then stopped
> the old samba server, and tried multiple things on the client machines
> (login with a new user, nltest things, Test-ComputerSecureChannel), and
> everything worked.
>
> So I think that globally I'm good, or at least not worse than before,
> and I'll try to transfer FSMO to the new server, then remove the old one
> from the AD.
>
> The only thing that I noticed is these in the new server's logs:
>
> Apr 03 09:20:43 dc1 samba[637]: [2025/04/03 09:20:43.624984, 0] source4/kdc/pac-glue.c:2402(samba_kdc_verify_pac)
> Apr 03 09:20:43 dc1 samba[637]: samba_kdc_verify_pac: PAC_TYPE_REQUESTER_SID missing
>
> Could they indicate a problem ? Or is it just something that the old dc
> cannot do and it will disappear with the old dc ?
>
> Thanks a lot,
The new server expects that Kerberos tickets contain a SID
(PAC_TYPE_REQUESTER_SID) that helps to ensure tickets aren’t being
misused. The old server doesn’t support this, so the new server refuses
to accept Kerberos tickets issued by the old server.
The log messages will go away when you demote the old server.
Cheers,
Jennifer (she/her)
More information about the samba
mailing list