On 06.06.2018 16:02, Rowland Penny via samba wrote:> >> I seem to remember having read here on the list, that it is no good >> idea to mix samba versions in a domain. If there is sound advice to >> do it anyways, I would be up for trying it. However, as I have >> written above, I messed up the uid/gid ranges. To my understanding, >> later versions of Samba (like 4.5) _require_ the ranges to comply to >> the defaults as denoted by the wiki. > There is nothing to stop you using different versions on DCs and you > can do the same with Unix domain members, unless you are using the 'ad' > backend and are NOT using Domain Users as the users Unix primary group. > It is however, best practise to use the same major version, just to get > similar capabilities on all machines. >So in theory, if I hadn't messed up my id map ranges (domain groups start with 2000), and if I hadn't begun removing stuff manually, and if I wouldn't use Domain Users as primary group, I could have joined an up-to-date DC and used the new script for demoting the dead one. I am not trying to sound sarcastic. I am trying to understand, and see whether perhaps there is still hope for such a maneuver. Ole
On Wed, 6 Jun 2018 17:02:24 +0200 Ole Traupe via samba <samba at lists.samba.org> wrote:> > > On 06.06.2018 16:02, Rowland Penny via samba wrote: > > > >> I seem to remember having read here on the list, that it is no good > >> idea to mix samba versions in a domain. If there is sound advice to > >> do it anyways, I would be up for trying it. However, as I have > >> written above, I messed up the uid/gid ranges. To my understanding, > >> later versions of Samba (like 4.5) _require_ the ranges to comply > >> to the defaults as denoted by the wiki. > > There is nothing to stop you using different versions on DCs and you > > can do the same with Unix domain members, unless you are using the > > 'ad' backend and are NOT using Domain Users as the users Unix > > primary group. It is however, best practise to use the same major > > version, just to get similar capabilities on all machines. > > > > So in theory, if I hadn't messed up my id map ranges (domain groups > start with 2000), and if I hadn't begun removing stuff manually, and > if I wouldn't use Domain Users as primary group, I could have joined > an up-to-date DC and used the new script for demoting the dead one.You still could have, but it is my understanding that it still could leave some things behind, but nothing critical.> > I am not trying to sound sarcastic. I am trying to understand, and > see whether perhaps there is still hope for such a maneuver.You will lose nothing from trying the samba-tool command, but I don't really expect it to work at this point. Rowland
On 6/6/2018 11:02 AM, Ole Traupe via samba wrote:> > > On 06.06.2018 16:02, Rowland Penny via samba wrote: >> >>> I seem to remember having read here on the list, that it is no good >>> idea to mix samba versions in a domain. If there is sound advice to >>> do it anyways, I would be up for trying it. However, as I have >>> written above, I messed up the uid/gid ranges. To my understanding, >>> later versions of Samba (like 4.5) _require_ the ranges to comply to >>> the defaults as denoted by the wiki. >> There is nothing to stop you using different versions on DCs and you >> can do the same with Unix domain members, unless you are using the 'ad' >> backend and are NOT using Domain Users as the users Unix primary group. >> It is however, best practise to use the same major version, just to get >> similar capabilities on all machines. >> > > So in theory, if I hadn't messed up my id map ranges (domain groups > start with 2000), and if I hadn't begun removing stuff manually, and > if I wouldn't use Domain Users as primary group, I could have joined > an up-to-date DC and used the new script for demoting the dead one. > > I am not trying to sound sarcastic. I am trying to understand, and see > whether perhaps there is still hope for such a maneuver. > > Ole > > >Ole, Yes. However can you point me to the patch notes where you indicate you are unable to upgrade? I don't see why you still can't join a new machine if you cleanup the current DC. I assume reading the patch notes would clarify this for me. -James
On 06.06.2018 21:54, lingpanda101 wrote:> On 6/6/2018 11:02 AM, Ole Traupe via samba wrote: >> >> >> On 06.06.2018 16:02, Rowland Penny via samba wrote: >>> >>>> I seem to remember having read here on the list, that it is no good >>>> idea to mix samba versions in a domain. If there is sound advice to >>>> do it anyways, I would be up for trying it. However, as I have >>>> written above, I messed up the uid/gid ranges. To my understanding, >>>> later versions of Samba (like 4.5) _require_ the ranges to comply to >>>> the defaults as denoted by the wiki. >>> There is nothing to stop you using different versions on DCs and you >>> can do the same with Unix domain members, unless you are using the 'ad' >>> backend and are NOT using Domain Users as the users Unix primary >>> group. >>> It is however, best practise to use the same major version, just to get >>> similar capabilities on all machines. >>> >> >> So in theory, if I hadn't messed up my id map ranges (domain groups >> start with 2000), and if I hadn't begun removing stuff manually, and >> if I wouldn't use Domain Users as primary group, I could have joined >> an up-to-date DC and used the new script for demoting the dead one. >> >> I am not trying to sound sarcastic. I am trying to understand, and >> see whether perhaps there is still hope for such a maneuver. >> >> Ole >> >> >> > Ole, > > Yes. However can you point me to the patch notes where you > indicate you are unable to upgrade? I don't see why you still can't > join a new machine if you cleanup the current DC. I assume reading the > patch notes would clarify this for me. > > -James >I will try to find that section again. At first glance, I did not find this information in patch notes 4.3-4.5. But I seem to remember having read that, and I also remember a conversion with Rowland a while ago leaving me with the impression that having different (lower) id ranges defined will be a show-stopper for upgrading beyond a certain point. I will try to find those emails again. Ole
Quick update on the actual issue: after removing just all the DNS entries associated with the dead DC, and restarting Windows clients and also Samba processes on the file server, my domain appears to be stable for roughly 18h now (=no logon or share/file access issues). Ole On 06.06.2018 21:54, lingpanda101 wrote:> On 6/6/2018 11:02 AM, Ole Traupe via samba wrote: >> >> >> On 06.06.2018 16:02, Rowland Penny via samba wrote: >>> >>>> I seem to remember having read here on the list, that it is no good >>>> idea to mix samba versions in a domain. If there is sound advice to >>>> do it anyways, I would be up for trying it. However, as I have >>>> written above, I messed up the uid/gid ranges. To my understanding, >>>> later versions of Samba (like 4.5) _require_ the ranges to comply to >>>> the defaults as denoted by the wiki. >>> There is nothing to stop you using different versions on DCs and you >>> can do the same with Unix domain members, unless you are using the 'ad' >>> backend and are NOT using Domain Users as the users Unix primary >>> group. >>> It is however, best practise to use the same major version, just to get >>> similar capabilities on all machines. >>> >> >> So in theory, if I hadn't messed up my id map ranges (domain groups >> start with 2000), and if I hadn't begun removing stuff manually, and >> if I wouldn't use Domain Users as primary group, I could have joined >> an up-to-date DC and used the new script for demoting the dead one. >> >> I am not trying to sound sarcastic. I am trying to understand, and >> see whether perhaps there is still hope for such a maneuver. >> >> Ole >> >> >> > Ole, > > Yes. However can you point me to the patch notes where you > indicate you are unable to upgrade? I don't see why you still can't > join a new machine if you cleanup the current DC. I assume reading the > patch notes would clarify this for me. > > -James >