samba - Dec 2022 - Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

On 01/12/2022 17:28, Juan Ignacio wrote:
> Another thing I wonder about demoting the Original DC.
> The smb.conf files look different on the original DC than the new one.
> I would appreciate it if we could take a look before to know if there is 
> anything missing on the new DC, 
Doesn't look like it.
> I don't remember installing kerberos on 
> the new one which is now primary.
Will you please STOP referring to 'primary', there is no such thing as a
primary DC, there are just AD DC's

  I don't know if it's necessary either.
> Looks like the smb.conf does not have all the services who are in the 
> original?
Your problem is that you waited too long between updates, 16 (if you are 
using the latest version of Samba) is a bit much, you should upgrade on 
a more regular basis.

If you run this command on the new DC:

testparm -vs 2>/dev/null | grep 'server services'

You should get this:

server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate, dns

The lack of the 'server services' line is the same as setting them all, 
this is because they are the defaults on a DC.
> Neither the idmap_ldb:use rfc2307 = yes
You have to explicitly add that line yourself, but it is only needed if 
you are using the 'ad' idmap backend on your Unix domain members and 
wish to have the same Unix ID's everywhere.

Rowland

OK, I understand. I'm going to remove that "primary" word from my
dictionary, sorry for that.
I used that word because I don't know how to refer to the AD-DC who owns
the FSMO roles.

Your problem is that you waited too long between updates, 16 (if you
are
> using the latest version of Samba) is a bit much, you should upgrade on
> a more regular basis.
>
I know that is what I wanna do after demoting the older one.
I was reading other threads and some people are complaining about updates
to 4.17.
I prefer to finish what I'm doing with the 4.16 now and then start updating
more often.
Since the DCs are in production and the old one with 4.1 is not on a VM i
must update with extreme caution, the clients cannot lose the ability to
log in.

I'm thinking of making another ad-dc with samba 4.17 and join it to the
domain for even more security so i can have 3 (4.1 older one, 4.16 DC2 and
4.17 DC3)

The lack of the 'server services' line is the same as setting them
all,
> this is because they are the defaults on a DC.
>
Thx for that info.

Do you know why I cannot use the online backup of samba-tool on the new
server?

root at DC2:/domain/samba/domainBackups# samba-tool domain backup online
--targetdir=/domain/samba/domainBackups --server=DC2 -UAdministrator
ERROR(runtime): uncaught exception - (3221225653, '{Device Timeout} The
specified I/O operation on %hs was not completed before the time-out period
expired.')
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186,
in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain_backup.py",
line
261, in run
    ctx = join_clone(logger=logger, creds=creds, lp=lp,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1552, in
join_clone
    ctx = DCCloneContext(logger, server, creds, lp, targetdir=targetdir,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1576, in
__init__
    super(DCCloneContext, ctx).__init__(logger, server, creds, lp,
  File "/usr/lib/python3/dist-packages/samba/join.py", line 101, in
__init__
    ctx.site = ctx.find_dc_site(ctx.server)
  File "/usr/lib/python3/dist-packages/samba/join.py", line 363, in
find_dc_site
    cldap_ret = ctx.net.finddc(address=server,

Thx for your patience :-)

El jue, 1 dic 2022 a las 15:13, Rowland Penny via samba (<
samba at lists.samba.org>) escribi?:
>
>
> On 01/12/2022 17:28, Juan Ignacio wrote:
> > Another thing I wonder about demoting the Original DC.
> > The smb.conf files look different on the original DC than the new one.
> > I would appreciate it if we could take a look before to know if there
is
> > anything missing on the new DC,
>
> Doesn't look like it.
>
> > I don't remember installing kerberos on
> > the new one which is now primary.
>
> Will you please STOP referring to 'primary', there is no such thing
as a
> primary DC, there are just AD DC's
>
>   I don't know if it's necessary either.
> > Looks like the smb.conf does not have all the services who are in the
> > original?
>
> Your problem is that you waited too long between updates, 16 (if you are
> using the latest version of Samba) is a bit much, you should upgrade on
> a more regular basis.
>
> If you run this command on the new DC:
>
> testparm -vs 2>/dev/null | grep 'server services'
>
> You should get this:
>
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate, dns
>
> The lack of the 'server services' line is the same as setting them
all,
> this is because they are the defaults on a DC.
>
> > Neither the idmap_ldb:use rfc2307 = yes
>
> You have to explicitly add that line yourself, but it is only needed if
> you are using the 'ad' idmap backend on your Unix domain members
and
> wish to have the same Unix ID's everywhere.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>