Marco Gaiarin
2017-Jun-21 13:53 UTC
[Samba] Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...
Mandi! L.P.H. van Belle via samba In chel di` si favelave... [ I've written to Rowland, offlist, supposing a debian specific trouble... because we are back here, i change subject. ]> I have had a look in the bug reports. > See : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816301Seems mildly related. I was on jessie samba 4.2 and i've just done the 'classicupgrade' phase, before upgrading samba.> Post smb.conf also so we can check if you have more config errors.Anyway... root at lupus:~# testparm Load smb config files from /etc/samba/smb.conf Processing section "[netlogon]" Processing section "[sysvol]" Processing section "[printers]" Processing section "[print$]" Processing section "[profiles]" Processing section "[users]" Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC Press enter to see a dump of your service definitions # Global parameters [global] bind interfaces only = Yes interfaces = lo eth0.17 netbios aliases = CUPS FILE MEDIA TIME realm = AD.CORSI.SV.LNF.IT server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SVCORSI ldap server require strong auth = allow_sasl_over_tls logon drive = p: logon home = \\LUPUS\%U logon path = \\LUPUS\profiles\%U logon script = startup.bat printcap name = cups passdb backend = samba_dsdb server role = active directory domain controller winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external winbindd:use external pipes = true idmap config svcorsi : schema_mode = rfc2307 idmap config svcorsi : backend = ad idmap_ldb:use rfc2307 = yes dsdb:schema update allowed = true idmap config * : backend = tdb map archive = No map readonly = no store dos attributes = Yes vfs objects = dfs_samba4 acl_xattr -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland Penny
2017-Jun-21 14:17 UTC
[Samba] Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...
On Wed, 21 Jun 2017 15:53:42 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > [ I've written to Rowland, offlist, supposing a debian specific > trouble... because we are back here, i change subject. ]I asked Louis to help because you may be using his packages, I wasn't sure ;-)> root at lupus:~# testparm > Load smb config files from /etc/samba/smb.conf > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[printers]" > Processing section "[print$]" > Processing section "[profiles]" > Processing section "[users]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > > Press enter to see a dump of your service definitions > > # Global parameters > [global] > bind interfaces only = Yes > interfaces = lo eth0.17 > netbios aliases = CUPS FILE MEDIA TIME > realm = AD.CORSI.SV.LNF.IT > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SVCORSI > ldap server require strong auth = allow_sasl_over_tls > logon drive = p: > logon home = \\LUPUS\%U > logon path = \\LUPUS\profiles\%U > logon script = startup.bat > printcap name = cups > passdb backend = samba_dsdb > server role = active directory domain controller > winbind enum groups = Yes > winbind enum users = Yes > winbind nss info = rfc2307 > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap config svcorsi : schema_mode = rfc2307 > idmap config svcorsi : backend = ad > idmap_ldb:use rfc2307 = yes > dsdb:schema update allowed = true > idmap config * : backend = tdb > map archive = No > map readonly = no > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr >Did you add any lines, or is this what the classicupgrade gave you ? Either way I would make your smb.conf look like this: [global] netbios name = <YOUR DC HOSTNAME IN UPPERCASE> realm = AD.CORSI.SV.LNF.IT server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SVCORSI server role = active directory domain controller idmap_ldb:use rfc2307 = yes printcap name = cups bind interfaces only = Yes interfaces = lo eth0.17 ldap server require strong auth = allow_sasl_over_tls The rest is either default settings or shouldn't be used on a DC. Rowland
L.P.H. van Belle
2017-Jun-21 14:30 UTC
[Samba] Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...
.. He did not post smb.conf ;-) The rest is shown because he used testparm not samba-tool testparm See youself, ;-) testparm > test1.txt samba-tool testparm > test2.txt diff test1.txt test2.txt> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: woensdag 21 juni 2017 16:17 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Upgrading samba from jessie (4.2) to > stretch (4.5) in AD mode... > > On Wed, 21 Jun 2017 15:53:42 +0200 > > I asked Louis to help because you may be using his packages, > I wasn't sure ;-)Thats ok, i know a lot of the packages.. :-) not all but a lot. I've updated some info on my site : http://downloads.van-belle.nl/samba4/README.txt I'll post it here also since the subject is good now. Some Debian samba upgrade pitfall's For any debian samba 4.1.x and debian samba 4.2.x upgrades to 4.5 and up if you have in smb.conf : security = share Change that to : security = user map to guest = Bad User !! you upgrade fails if you smb.conf is incorrect. !! Solution is correct smb.conf, run: dpkg-reconfigure -a There are things that are known to error when upgrading. (These are not related to my packages.) For example : A) The nsswitch.conf with : winbind compat ( change that back to compat winbind) Source info : https://lists.samba.org/archive/samba-technical/2017-June/121139.html B) Old settings in smb.conf prevent good upgrade, remove the old settings. a bug report about this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816301 see also the Upgrade-info.txt for the sumerized changed settings. C) There was a small change in a package of debian, you may need to force a package. In this case you need to force install the package and override the file. This is some older debian bug, you can use : dpkg -i --force-all /var/cache/apt/archive/thepackage.deb Its a vfs module that changed from samba-common to samba-vfs-common. You can overwrite without risk. D) minor thing, if you install only winbind, you see and message about missing ..path/ldb winbind does not need it, if you dont want to see this messa ge, apt-get install samba-dsdb-common Now the world knows :-) Greetz, Louis
Marco Gaiarin
2017-Jun-21 16:06 UTC
[Samba] Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> He did not post smb.conf ;-)It is full of comment, now, because i'm moving some settings from my old 'NT' domain... [From other thread...]> If he has added 'security = user' to his smb.conf, he needs to remove > it, you do not use this on a DC.Clearly, i've removed that; i've added exclusively to finish the post-installation task of debian package. Sorry if iwas not clear.> It looks like he got hit by the 'winbind package not installed on > debian unless you ask for it' error.?!> The rest is shown because he used testparm not samba-tool testparmI don't know about that. ;-) root at lupus:~# samba-tool testparm Press enter to see a dump of your service definitions # Global parameters [global] bind interfaces only = Yes interfaces = lo eth0.17 netbios aliases = CUPS FILE MEDIA TIME netbios name = LUPUS realm = AD.CORSI.SV.LNF.IT server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SVCORSI ldap server require strong auth = allow_sasl_over_tls logon drive = p: logon home = \\LUPUS\%U logon path = \\LUPUS\profiles\%U logon script = startup.bat load printers = Yes printcap name = cups server role = active directory domain controller winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 idmap config svcorsi : schema_mode = rfc2307 idmap config svcorsi : backend = ad idmap_ldb:use rfc2307 = yes dsdb:schema update allowed = true comment = printing = cups effectively it is simpler. I've added surely 'ldap server require strong auth allow_sasl_over_tls' to make exim work, and 'dsdb:schema update allowed true' to modify schema. Clearly i've added 'logon *' options bacause i need it. ;) Other things probably added to make windbind NSS and PAM providers work, but finally i've switched to SSSD. Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Marco Gaiarin
2017-Jun-21 16:18 UTC
[Samba] Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...
Mandi! L.P.H. van Belle via samba In chel di` si favelave... Sorry, forgot to say:> For any debian samba 4.1.x and debian samba 4.2.x upgrades to 4.5 and upI've seend that (on list archive, or in some debian bugs, i don't remember) but seems not relevant to me bacause i've had just do 'classic upgrade', eg i was just in AD mode when upgrade from 4.2 to 4.5. Because i've snapshotted the VM before doing the upgrade, i can give it a second try. But provide me some hints on steps to reproduce... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Possibly Parallel Threads
- Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...
- Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...
- Classic upgrade and forced password change...
- Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...
- [OT?] Strangeness on clients migrating NT -> AD...