samba - Dec 2022 - Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Another thing I wonder about demoting the Original DC.
The smb.conf files look different on the original DC than the new one.
I would appreciate it if we could take a look before to know if there is
anything missing on the new DC, I don't remember installing kerberos on the
new one which is now primary. I don't know if it's necessary either.
Looks like the smb.conf does not have all the services who are in the
original?
Neither the idmap_ldb:use rfc2307 = yes

Original DC smb.conf
[global]
        workgroup = OURDOMAIN
        realm = OURDOMAIN.ORG
        netbios name = DC1
        server role = active directory domain controller
        dns forwarder = **********
        allow dns updates = nonsecure and secure
        #server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns, smb
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, winreg, srvsvc
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,winbind, ntp_signd, kcc, dnsupdate, dns
        idmap_ldb:use rfc2307 = yes
        #winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        #winbind nested groups = yes
        log level = 3
        log file = /var/log/samba/samba.log


New DC smb.conf

[global]
        netbios name = DC2
        realm = OURDOMAIN.ORG
        server role = active directory domain controller
        dns forwarder = *********
        workgroup = OURDOMAIN
        allow dns updates = nonsecure and secure
        ldap server require strong auth = no

El jue, 1 dic 2022 a las 10:08, Juan Ignacio (<juan.ignacio.pazos at
gmail.com>)
escribi?:
> Thx for all the info Rowland;
> I tried to read everything carefully..
> I managed to make an offline domain backup in the new ad-dc without
> apparently major complications.
>
> But not being able to do the online backup, I got an exception and
isn't
> on the wiki.
>
> root at DC2:/domain/samba/domainBackups# samba-tool domain backup online
> --targetdir=/domain/samba/domainBackups --server=DC2 -UAdministrator
> ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout} The
> specified I/O operation on %hs was not completed before the time-out period
> expired.')
>   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
> 186, in _run
>     return self.run(*args, **kwargs)
>   File
"/usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py",
> line 261, in run
>     ctx = join_clone(logger=logger, creds=creds, lp=lp,
>   File "/usr/lib/python3/dist-packages/samba/join.py", line 1552,
in
> join_clone
>     ctx = DCCloneContext(logger, server, creds, lp, targetdir=targetdir,
>   File "/usr/lib/python3/dist-packages/samba/join.py", line 1576,
in
> __init__
>     super(DCCloneContext, ctx).__init__(logger, server, creds, lp,
>   File "/usr/lib/python3/dist-packages/samba/join.py", line 101,
in
> __init__
>     ctx.site = ctx.find_dc_site(ctx.server)
>   File "/usr/lib/python3/dist-packages/samba/join.py", line 363,
in
> find_dc_site
>     cldap_ret = ctx.net.finddc(address=server,
>
> El jue, 1 dic 2022 a las 7:15, Rowland Penny via samba (<
> samba at lists.samba.org>) escribi?:
>
>>
>>
>> On 01/12/2022 02:11, Andrew Bartlett via samba wrote:
>> > On Wed, 2022-11-30 at 23:03 -0300, Juan Ignacio via samba wrote:
>> >> Already checked that on 4.1 and samba-tool doesn't have
that options.
>> >> root at DC1:/usr/sbin# samba-tool domain backup online
>> >> Usage: samba-tool domain <subcommand>
>> >>>
>> >
>> > Correct.  For such an old version just shut Samba down and back up
the
>> > files 'normally'.  Restoration will be a challenge, the
only option
>> will be to force destroy any other DCs and then start back from the
backed
>> up files.
>> >
>> > Andrew Bartlett
>> >
>> >
>>
>> Wrong, the OP now has a much later Samba DC and that will have the
'new'
>> backup tools.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

On 01/12/2022 17:28, Juan Ignacio wrote:
> Another thing I wonder about demoting the Original DC.
> The smb.conf files look different on the original DC than the new one.
> I would appreciate it if we could take a look before to know if there is 
> anything missing on the new DC, 
Doesn't look like it.
> I don't remember installing kerberos on 
> the new one which is now primary.
Will you please STOP referring to 'primary', there is no such thing as a
primary DC, there are just AD DC's

  I don't know if it's necessary either.
> Looks like the smb.conf does not have all the services who are in the 
> original?
Your problem is that you waited too long between updates, 16 (if you are 
using the latest version of Samba) is a bit much, you should upgrade on 
a more regular basis.

If you run this command on the new DC:

testparm -vs 2>/dev/null | grep 'server services'

You should get this:

server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate, dns

The lack of the 'server services' line is the same as setting them all, 
this is because they are the defaults on a DC.
> Neither the idmap_ldb:use rfc2307 = yes
You have to explicitly add that line yourself, but it is only needed if 
you are using the 'ad' idmap backend on your Unix domain members and 
wish to have the same Unix ID's everywhere.

Rowland