samba - Jul 2015 - Samba 3.6 -> 4.2 upgrade on FreeBSD

Hello.

I know this is half OS-specific: I already asked on freebsd-ports@, but 
got no answer so far...

Since 3.6 has been EOLed I'd like to upgrade all my such Samba 
installations to 4.2.
Right now I don't want to switch any of them to AD; I just want to keep 
running as I do now, but with a supported version.

I've started from the simplest cases and so far I've been able to 
upgrade some servers with the following steps:
_ stop Samba;
_ uninstall samba36;
_ install samba42;
_ replace "samba_enable" with "samba_server_enable" in
/etc/rc.conf;
_ rename /usr/local/etc/smb.conf to /usr/local/etc/smb4.conf;
_ move /usr/local/etc/samba/smbpasswd to /var/db/samba4/private;
_ restart Samba.

This worked on servers running on smbpasswd backend; however I'm now 
trying on a PDC which uses LDAP as backend and it's not that easy.
I also moved /usr/local/etc/samba/schannel_store.tdb and 
/usr/local/etc/samba/secrets.tdb to /var/db/samba4/private, but still I 
had no luck.

smbclient -L did not work anymore, neither did pam_winbind; so I had to 
go back to 3.6.



Am I overseeing something obvious?
Is there any howto for this?
Does anything need to be done on the LDAP schema?
Anything else?

  bye & Thanks
     av.

On 04/07/15 11:35, Andrea Venturoli wrote:
> Hello.
>
> I know this is half OS-specific: I already asked on freebsd-ports@, 
> but got no answer so far...
>
> Since 3.6 has been EOLed I'd like to upgrade all my such Samba 
> installations to 4.2.
> Right now I don't want to switch any of them to AD; I just want to 
> keep running as I do now, but with a supported version.
>
> I've started from the simplest cases and so far I've been able to 
> upgrade some servers with the following steps:
> _ stop Samba;
> _ uninstall samba36;
> _ install samba42;
> _ replace "samba_enable" with "samba_server_enable" in
/etc/rc.conf;
> _ rename /usr/local/etc/smb.conf to /usr/local/etc/smb4.conf;
> _ move /usr/local/etc/samba/smbpasswd to /var/db/samba4/private;
> _ restart Samba.
>
> This worked on servers running on smbpasswd backend; however I'm now 
> trying on a PDC which uses LDAP as backend and it's not that easy.
> I also moved /usr/local/etc/samba/schannel_store.tdb and 
> /usr/local/etc/samba/secrets.tdb to /var/db/samba4/private, but still 
> I had no luck.
>
> smbclient -L did not work anymore, neither did pam_winbind; so I had 
> to go back to 3.6.
>
>
>
> Am I overseeing something obvious?
> Is there any howto for this?
> Does anything need to be done on the LDAP schema?
> Anything else?
>
>  bye & Thanks
>     av.
Hi, never used freebsd, but 4.2 is not just an AD DC, it is also 
supposed to be a replacement for the old 3.6 series and work in the same 
way. There are some changes to what can and cannot go into smb.conf, but 
these are minor and can easily be identified by reading the smb.conf 
manpage and the samba release notes.

Does anything start ?
Is there anything in the log files ?
what is your smb.conf ?

Rowland

On 07/04/15 13:04, Rowland Penny wrote:
> Hi, never used freebsd, but 4.2 is not just an AD DC, it is also
> supposed to be a replacement for the old 3.6 series and work in the same
> way.
That's what I'm trying to achieve.


> There are some changes to what can and cannot go into smb.conf, but
> these are minor and can easily be identified by reading the smb.conf
> manpage and the samba release notes.
I got some warnings about "idmap backend" being deprecated, but I
think
I solved; also they only were warnings.


> Does anything start ?
Sure: two instances of nmbd, one of smbd and three of winbindd.


> Is there anything in the log files ?
Nothing special:
_ log.nmbd ends with "become_logon_server_success: Samba is now a logon 
server for workgroup VENTU on subnet 10.1.2.13";
_ log.smbd complains about not being able to retrieve printer list, but 
I'm not interested in printing;
_ log.winbindd says it's ready.

Also, sockets are open (port 137,138, 139 and 445) and there's a couple 
of connections from smbd to slapd.


> what is your smb.conf ?
Here's my global section:
> [global]
>         log level=1
>         unix password sync=no
>         workgroup = VENTU
>         server string = SOTH
>         load printers=no
>         max log size=50000
>         security = user
>         encrypt passwords = yes
>         interfaces = nfe0 10.1.2.13/24
>         local master = yes
>         os level = 255
>         domain master = yes
>         preferred master = yes
>         domain logons = yes
>         logon script=netlogon.cmd %U
>         wins support = yes
>         wins proxy = yes
>         dns proxy = no
>         ldap admin dn="cn=root,dc=ventu"
>         ldap ssl=off
>         ldap suffix="dc=ventu"
>         passdb backend = ldapsam
>         ea support=yes
>         map hidden=no
>         map system=no
>         map archive=no
>         idmap config * : backend=ldap:ldap://localhost
>         ldap idmap suffix="dc=ventu"
>         hosts allow = 127. 10.1.2.
>         name resolve order = wins
>         time server = no
>         map archive = No
>         hide dot files=no
>         lm announce=auto
>         logon path>         logon home>         unix extensions=no
>         mangled names=no
>         winbind use default domain=yes




"smbclient -U andrea -I 10.1.2.13 -L //soth" asks for a password, but 
then dumps core (it doesn't matter if the given password is right or wrong).

"wbinfo -u" correctly retrieves the user list, but PAM authentication 
(through pam_winbind.so) fails.




So you confirm there is nothing special I had to do, but didn't?
I'd like to make sure I'm not wasting time, before I compile with 
debugging info, raise log levels, etc...



  bye & Thanks
	av.