[Samba] both Samba-4.9.5 AD DC upgrade to Samba current (4.22.*) - questions
Franta Hanzlík
franta at hanzlici.cz
Mon Jun 30 10:17:10 UTC 2025
On Mon, 30 Jun 2025 07:15:29 +0100
Luis Peromarta via samba <samba at lists.samba.org> wrote:
> Rfc2307 is not needed in DCs even if you use it for AD idmapping in your member server.
>
> See linked page for explanations and what it implies for a DC.
Luis thank you for the clarification. I still have some ambiguities,
but from what you write and the links you sent, it seems that:
- the important thing is not to do DC provisioning with a "--use-rfc2307"
option (and thus not to have "idmap config DOMAIN:backend = ad" in
smb.conf).
- even so, the AD DB will contain an user entry uidNumber, homeDirectory,
loginShell and group entry gidNumber - which I can (but don't have to)
fill in manually. (and Samba DC itself perhaps not fill them)
- on Linux fileserver which is AD member I can use "ad" idmap - but in this
case must be manually filled at least uidNumber and gidNumber (for homedir
and shell can be templates used), as idmap_ad man page say:
"Mappings must be provided in advance by the administrator by adding the
uidNumber attributes for users and gidNumber attributes for groups in the
AD. Winbind will only map users that have a uidNumber and whose primary
group have a gidNumber attribute set. It is however recommended that all
groups in use have gidNumber attributes assigned, otherwise they are not
working."
- or I can use rid mapping on Linux server members, which did algorithmic
mapping for getting Unix UID and GID.
From all this, it seems to me that using rid idmap is an easier and
error-free choice of ID mapping. Can you agree with that?
> On 29 Jun 2025 at 22:26 +0100, Franta Hanzlík <franta at hanzlici.cz>, wrote:
>
> > On Sun, 29 Jun 2025 19:30:00 +0100
> > Luis Peromarta via samba <samba at lists.samba.org> wrote:
> >
> >
> > > Hi there.
> > >
> > > The Oracle has already spoken, (@Rowland) I will give you some links:
> > >
> > > This is what I would do:
> > >
> > > First, there is a chance you may need to do this in 2 stages as 4.9 to 4.22 may be a bit too extreme.
> > >
> > >
> > >
> > > 0.- Back up both VMs, just in case.
> > >
> > > 1.- Do a good check on the DCs:
> > >
> > > http://samba.bigbird.es/doku.php?id=samba:dc-maintenance
> > >
> > >
> > > 2.- Install and join new DC using Debian 12, you will need a new name for the machine:
> > >
> > > http://samba.bigbird.es/doku.php?id=samba:aditional-dc
> > >
> > > If you get errors with this join, chances are you may need to get an intermediate version (Debian 11 and Samba 4.13). If so, restore VMs from backup and try Debian 11.
> > >
> > > 3.- All going well you have now 3 DCs. Transfer the FSMO roles to the new one:
> > >
> > > http://samba.bigbird.es/doku.php?id=samba:fsmo-roles
> > >
> > > 4.- Demote one of the older DCs:
> > >
> > > http://samba.bigbird.es/doku.php?id=samba:demote-dc
> > >
> > > 5.- Install an additional new DC as (2)
> > >
> > > 6.- Demote the other, older DC as (4)
> > >
> > > 7.- Once all has been tested with Samba 4.17, upgrade to 4.22 using back ports:
> > >
> > > Using back ports:
> > >
> > > http://samba.bigbird.es/doku.php?id=samba:installing-from-backports
> > >
> > > Uppgrade:
> > >
> > > http://samba.bigbird.es/doku.php?id=samba:upgrade-sama
> > >
> > > 8.- Once all done, check you only have on entry for PDC Emulator role:
> > >
> > > http://samba.bigbird.es/doku.php?id=samba:fsmo-roles
> > >
> > >
> > >
> > > Note: If you are using "idmap_ldb:use rfc2307 = yes” I recommend you don’t.
> > >
> > > http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307
> > >
> > > On 29 Jun 2025 at 18:31 +0100, Franta Hanzlík via samba <samba at lists.samba.org>, wrote:
> > >
> [...]
> [...]
> > > --
> > >
> >
> > Hello Luis, Peter and Rowland,
> > many thanks for quick response, valuable advice and references to
> > samba.bigbird.es (it will take some time to absorb it all)!
> >
> > I have a small addition to this:
> >
> > - By using the demotion of the old DC and its permanent removal from the
> > network and subsequent inclusion of a new VM with the same hostname, IP,
> > etc., I aimed to achieve the same external characteristic and behavior
> > after the upgrade as the original system had. And I would probably not
> > need to use a temporary VM - the new DC would replace the old one 1:1.
> > Or am I wrong?
> >
> > - Both VMs are small, serving only as DCs, no fileserver, printserver,
> > etc. And yes, on the current (old) system we use rfc2307 (so on each DC
> > there is "idmap_ldb:use rfc2307 = yes" in smb.conf, and on the two Samba
> > fileservers is "idmap config DOMAIN:backend = ad" in smb.conf).
> > rfc2307 is used for Linux clients, their POSIX attributes such as UID,
> > GID, homedir. I thought until now that if Linux clients also authenticate
> > to Samba AD, then it is necessary to use rfc2307.
> > Are you saying it is different, that rfc2307 can be canceled?
> > The "rid" idmap backend will then be used on the fileserver instead of ad?
> > And will tools like RSAT on Windows or samba-tool on Linux also allow
> > us to enter POSIX parameters? Or are they assigned somehow automatically?
> > On the current old system we enter POSIX parameters manually, so some
> > simplification or automation would be welcome...
> >
> > Regarding using Debian distro - we have been using Fedora for a long time
> > now because we know it. And we compile Samba packages for DC ourselves,
> > with Heimdal Kerberos (Fedora has MIT, I'm not sure how suitable it is
> > for production deployment, I think it is still marked as experimental).
> > I don't know if switching to Debian would cause some confusion and damage,
> > when it will be new for us. IMO there will not be much difference in
> > functionality, although support in Debian is probably greater today than
> > in Fedora.
> > --
> > Thanks in advance, Franta Hanzlik
> >
> --
--
Thanks, Franta Hanzlik
More information about the samba
mailing list