[Samba] both Samba-4.9.5 AD DC upgrade to Samba current (4.22.*) - questions

Luis Peromarta lperoma at icloud.com
Mon Jun 30 11:14:24 UTC 2025 

On 29 Jun 2025 at 22:26 +0100, Franta Hanzlík <franta at hanzlici.cz>, wrote:
>
> I have a small addition to this:
>
> - By using the demotion of the old DC and its permanent removal from the
> network and subsequent inclusion of a new VM with the same hostname, IP,
> etc., I aimed to achieve the same external characteristic and behavior
> after the upgrade as the original system had. And I would probably not
> need to use a temporary VM - the new DC would replace the old one 1:1.
> Or am I wrong?

This would be fine, and because you have a backup of the VMs, you’re safe. Demote the DC that does not have the FSMO roles.
>
> - Both VMs are small, serving only as DCs, no fileserver, printserver,
> etc. And yes, on the current (old) system we use rfc2307 (so on each DC
> there is "idmap_ldb:use rfc2307 = yes" in smb.conf, and on the two Samba
> fileservers is "idmap config DOMAIN:backend = ad" in smb.conf).
> rfc2307 is used for Linux clients, their POSIX attributes such as UID,
> GID, homedir. I thought until now that if Linux clients also authenticate
> to Samba AD, then it is necessary to use rfc2307.
> Are you saying it is different, that rfc2307 can be canceled?
> The "rid" idmap backend will then be used on the fileserver instead of ad?
> And will tools like RSAT on Windows or samba-tool on Linux also allow
> us to enter POSIX parameters? Or are they assigned somehow automatically?
> On the current old system we enter POSIX parameters manually, so some
> simplification or automation would be welcome...

If you use AD idmapping in your member servers, that’s fine, continue with it. You can - however - safely remove the line from your DCs. Reasons explained in the link.
>
> Regarding using Debian distro - we have been using Fedora for a long time
> now because we know it. And we compile Samba packages for DC ourselves,
> with Heimdal Kerberos (Fedora has MIT, I'm not sure how suitable it is
> for production deployment, I think it is still marked as experimental).
> I don't know if switching to Debian would cause some confusion and damage,
> when it will be new for us. IMO there will not be much difference in
> functionality, although support in Debian is probably greater today than
> in Fedora.

I’d use Debian, distro of choice for all things Samba.

More information about the samba mailing list