Juan Ignacio
2022-Nov-21 16:03 UTC
[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).
Seems it looks good.. After Provision...> root at dc2:/home/jpazos# samba-tool domain join mydomain.org DC -U > mydomain/Administrator > INFO 2022-11-21 12:47:57,024 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #105: Finding a writeable DC > for domain 'mydomain.org' > INFO 2022-11-21 12:47:57,035 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #107: Found DC > dc1.mydomain.org > Password for [mydomain\Administrator]: > INFO 2022-11-21 12:48:03,052 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1527: workgroup is mydomain > INFO 2022-11-21 12:48:03,053 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1530: realm is mydomain.org > Adding CN=dc2,OU=Domain Controllers,DC=mydomain,DC=org > Adding > CN=dc2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=org > Adding CN=NTDS > Settings,CN=dc2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=org > Adding SPNs to CN=dc2,OU=Domain Controllers,DC=mydomain,DC=org > Setting account password for dc2$ > Enabling account > Calling bare provision > INFO 2022-11-21 12:48:14,865 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #2108: Looking > up IPv4 addresses > INFO 2022-11-21 12:48:14,866 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #2125: Looking > up IPv6 addresses > WARNING 2022-11-21 12:48:14,867 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #2130: More than > one IPv6 address found. Using fd04:4fce:8c37:0:2036:fcff:fe31:d932 > INFO 2022-11-21 12:48:15,065 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #2274: Setting > up share.ldb > INFO 2022-11-21 12:48:15,100 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #2278: Setting > up secrets.ldb > INFO 2022-11-21 12:48:15,128 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #2283: Setting > up the registry > INFO 2022-11-21 12:48:15,227 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #2286: Setting > up the privileges database > INFO 2022-11-21 12:48:15,280 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #2289: Setting > up idmap db > INFO 2022-11-21 12:48:15,316 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #2296: Setting > up SAM db > INFO 2022-11-21 12:48:15,326 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #880: Setting up > sam.ldb partitions and settings > INFO 2022-11-21 12:48:15,327 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #892: Setting up > sam.ldb rootDSE > INFO 2022-11-21 12:48:15,335 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #1305: > Pre-loading the Samba 4 and AD schema > Unable to determine the DomainSID, can not enforce uniqueness constraint > on local domainSIDs > > INFO 2022-11-21 12:48:15,373 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #2348: A > Kerberos configuration suitable for Samba AD has been generated at > /var/lib/samba/private/krb5.conf > INFO 2022-11-21 12:48:15,373 pid:547 > /usr/lib/python3/dist-packages/samba/provision/__init__.py #2350: Merge the > contents of this file with your system krb5.conf or replace it with this > one. Do not create a symlink! > Provision OK for domain DN DC=mydomain,DC=org > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=org] objects[402/1550] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=org] objects[804/1550] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=org] > objects[1206/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mydomain,DC=org] > objects[1550/1550] linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=mydomain,DC=org] objects[402/1615] > linked_values[0/0] > Partition[CN=Configuration,DC=mydomain,DC=org] objects[804/1615] > linked_values[0/0] > Partition[CN=Configuration,DC=mydomain,DC=org] objects[1206/1615] > linked_values[0/0] > Partition[CN=Configuration,DC=mydomain,DC=org] objects[1608/1615] > linked_values[0/0] > Partition[CN=Configuration,DC=mydomain,DC=org] objects[1615/1615] > linked_values[30/0] > Replicating critical objects from the base DN of the domain > Partition[DC=mydomain,DC=org] objects[98/98] linked_values[39/0] > Partition[DC=mydomain,DC=org] objects[402/2697] linked_values[0/0] > Partition[DC=mydomain,DC=org] objects[804/2697] linked_values[0/0] > Partition[DC=mydomain,DC=org] objects[1206/2697] linked_values[0/0] > Partition[DC=mydomain,DC=org] objects[1608/2697] linked_values[0/0] > Partition[DC=mydomain,DC=org] objects[2010/2697] linked_values[0/0] > Partition[DC=mydomain,DC=org] objects[2412/2697] linked_values[0/0] > Partition[DC=mydomain,DC=org] objects[2694/2697] linked_values[1062/0] > ../../lib/ldb/ldb_key_value/ldb_kv_index.c:2955: duplicate attribute value > in CN=K10,OU=Sala Informatica K,OU=Salas Informatica,OU=Equipos > mydomain,DC=mydomain,DC=org for index on servicePrincipalName, duplicate of > objectGUID 7008131e-6e91-4c8c-9a9e-2c9de8727dc6 in > @INDEX:SERVICEPRINCIPALNAME:TERMSRV/K10.mydomain.org > Failed to commit objects: DOS code 0x000021bf > Missing target object - retrying with DRS_GET_TGT > Partition[DC=mydomain,DC=org] objects[3096/2697] linked_values[1062/0] > Partition[DC=mydomain,DC=org] objects[3498/2697] linked_values[1062/0] > Partition[DC=mydomain,DC=org] objects[3900/2697] linked_values[1062/0] > Partition[DC=mydomain,DC=org] objects[4302/2697] linked_values[1062/0] > Partition[DC=mydomain,DC=org] objects[4704/2697] linked_values[1062/0] > Partition[DC=mydomain,DC=org] objects[5106/2697] linked_values[1062/0] > Partition[DC=mydomain,DC=org] objects[5388/2697] linked_values[2124/0] > Done with always replicated NC (base, config, schema) > Replicating DC=DomainDnsZones,DC=mydomain,DC=org > Partition[DC=DomainDnsZones,DC=mydomain,DC=org] objects[402/84606] > linked_values[0/0] > Partition[DC=DomainDnsZones,DC=mydomain,DC=org] objects[804/84606] > linked_values[0/0] > ...... > Replicating DC=ForestDnsZones,DC=mydomain,DC=org > Partition[DC=ForestDnsZones,DC=mydomain,DC=org] objects[18/18] > linked_values[0/0] > Exop on[CN=RID Manager$,CN=System,DC=mydomain,DC=org] objects[3] > linked_values[0] > Committing SAM database > Repacking database from v1 to v2 format (first record > CN=Employee-ID,CN=Schema,CN=Configuration,DC=mydomain,DC=org) > Repack: re-packed 10000 records so far > Repacking database from v1 to v2 format (first record > CN=volume-Display,CN=411,CN=DisplaySpecifiers,CN=Configuration,DC=mydomain,DC=org) > Repacking database from v1 to v2 format (first record > DC=K4\0ADEL:8556e2db-ca93-4b49-a5b4-c391a74fb67d,CN=Deleted > Objects,DC=DomainDnsZones,DC=mydomain,DC=org) > Repack: re-packed 10000 records so far...... > > Repacking database from v1 to v2 format (first record > CN=LostAndFound,DC=ForestDnsZones,DC=mydomain,DC=org) > Repacking database from v1 to v2 format (first record > CN=*****o,OU=********,OU=******,OU=******* mydomain,DC=mydomain,DC=org) > Repack: re-packed 10000 records so far > Repack: re-packed 20000 records so far > INFO 2022-11-21 12:52:32,052 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1100: Adding 4 remote DNS > records for dc2.mydomain.org > INFO 2022-11-21 12:52:32,120 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1159: Adding DNS AAAA record > dc2.mydomain.org for IPv6 IP: fd04:4fce:8c37:0:2036:fcff:fe31:d932 > INFO 2022-11-21 12:52:34,829 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1159: Adding DNS AAAA record > dc2.mydomain.org for IPv6 IP: fd28:921f:3a07:0:2036:fcff:fe31:d932 > INFO 2022-11-21 12:52:36,655 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1159: Adding DNS AAAA record > dc2.mydomain.org for IPv6 IP: fdb4:6605:c6ee:0:2036:fcff:fe31:d932 > INFO 2022-11-21 12:52:38,130 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1163: Adding DNS A record > dc2.mydomain.org for IPv4 IP: 10.20.1.3 > INFO 2022-11-21 12:52:40,397 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1191: Adding DNS CNAME record > 000c85cc-7018-463c-a072-5d5bb53c8ac5._msdcs.mydomain.org for > dc2.mydomain.org > INFO 2022-11-21 12:52:42,385 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1216: All other DNS records > (like _ldap SRV records) will be created samba_dnsupdate on first startup > INFO 2022-11-21 12:52:42,386 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1222: Replicating new DNS > records in DC=DomainDnsZones,DC=mydomain,DC=org > Partition[DC=DomainDnsZones,DC=mydomain,DC=org] objects[10/10] > linked_values[0/0] > INFO 2022-11-21 12:52:44,851 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1222: Replicating new DNS > records in DC=ForestDnsZones,DC=mydomain,DC=org > Partition[DC=ForestDnsZones,DC=mydomain,DC=org] objects[2/2] > linked_values[0/0] > INFO 2022-11-21 12:52:44,881 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1237: Sending > DsReplicaUpdateRefs for all the replicated partitions > INFO 2022-11-21 12:52:46,748 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1267: Setting isSynchronized > and dsServiceName > INFO 2022-11-21 12:52:46,763 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1282: Setting up secrets > database > INFO 2022-11-21 12:52:46,821 pid:547 > /usr/lib/python3/dist-packages/samba/join.py #1544: Joined domain mydomain > (SID S-1-5-21-4052400635-4289026898-4090354900) as a DC >Ok guys, seems like the provision worked, what i need to do next, checked the samba-ac-dc process and that are the results: root at kronos:/home/jpazos# systemctl status samba-ad-dc.service> ? samba-ad-dc.service - Samba AD Daemon > Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; disabled; > vendor preset: enabled) > Active: active (running) since Mon 2022-11-21 13:00:37 -03; 1s ago > Docs: man:samba(8) > man:samba(7) > man:smb.conf(5) > Main PID: 563 (samba) > Status: "samba: ready to serve connections..." > Tasks: 53 (limit: 4858) > Memory: 206.8M > CPU: 1.951s > CGroup: /system.slice/samba-ad-dc.service > ??563 samba: root process > ??564 samba: tfork waiter process(565) > ??565 samba: task[s3fs] pre-fork master > ??566 samba: tfork waiter process(567) > ??567 samba: task[rpc] pre-fork master > ??568 samba: tfork waiter process(570) > ??569 samba: tfork waiter process(572) > ??570 samba: task[nbt] pre-fork master > ??571 samba: tfork waiter process(573) > ??572 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > ??573 samba: task[wrepl] pre-fork master > ??574 samba: tfork waiter process(575) > ??575 samba: task[ldap] pre-fork master > ??576 samba: tfork waiter process(578) > ??577 samba: tfork waiter process(580) > ??578 samba: task[cldap] pre-fork master > ??579 samba: tfork waiter process(581) > ??580 samba: task[rpc] pre-forked worker(0) > ??581 samba: task[kdc] pre-fork master > ??582 samba: tfork waiter process(584) > ??583 samba: tfork waiter process(586) > ??584 samba: task[drepl] pre-fork master > ??585 samba: tfork waiter process(587) > ??586 samba: task[rpc] pre-forked worker(1) > ??587 samba: task[winbindd] pre-fork master > ??588 samba: tfork waiter process(592) > ??589 samba: tfork waiter process(596) > ??590 samba: tfork waiter process(591) > ??591 samba: task[rpc] pre-forked worker(2) > ??592 samba: task[ntp_signd] pre-fork master > ??593 samba: tfork waiter process(598) > ??594 samba: tfork waiter process(601) > ??595 samba: tfork waiter process(600) > ??596 samba: task[kdc] pre-forked worker(0) > ??597 samba: tfork waiter process(604) > ??598 samba: task[kcc] pre-fork master > ??599 samba: tfork waiter process(602) > ??600 samba: task[rpc] pre-forked worker(3) > ??601 /usr/sbin/winbindd -D --option=server role > check:inhibit=yes --foreground > ??602 samba: task[dnsupdate] pre-fork master > ??603 samba: tfork waiter process(606) > ??604 samba: task[kdc] pre-forked worker(1) > ??605 samba: tfork waiter process(607) > ??606 samba: task[dns] pre-fork master > ??607 samba: task[kdc] pre-forked worker(2) > ??608 samba: tfork waiter process(609) > ??609 samba: task[kdc] pre-forked worker(3) > ??610 samba: tfork waiter process(611) > ??611 /usr/bin/python3 /usr/sbin/samba_dnsupdate > ??617 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > ??618 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > ??619 winbindd: domain child [MYDOMAIN] > ??620 winbindd: idmap child > > nov 21 13:00:37 kronos samba[575]: Attempting to autogenerate TLS > self-signed keys for https for hostname 'DC2.kennedy.edu' > nov 21 13:00:37 kronos systemd[1]: Started Samba AD Daemon. > nov 21 13:00:37 kronos smbd[572]: [2022/11/21 13:00:37.340701, 0] > ../../source3/smbd/server.c:1741(main) > nov 21 13:00:37 kronos smbd[572]: smbd version 4.16.6-Debian started. > nov 21 13:00:37 kronos smbd[572]: Copyright Andrew Tridgell and the > Samba Team 1992-2022 > nov 21 13:00:37 kronos winbindd[601]: [2022/11/21 13:00:37.415798, 0] > ../../source3/winbindd/winbindd.c:1723(main) > nov 21 13:00:37 kronos winbindd[601]: winbindd version 4.16.6-Debian > started. > nov 21 13:00:37 kronos winbindd[601]: Copyright Andrew Tridgell and the > Samba Team 1992-2022 > nov 21 13:00:38 kronos winbindd[601]: [2022/11/21 13:00:38.050798, 0] > ../../source3/winbindd/winbindd_cache.c:3085(initialize_winbindd_cache) > nov 21 13:00:38 kronos winbindd[601]: initialize_winbindd_cache: > clearing cache and re-creating with version number 2 >Waiting for your reply. Thanks. El lun, 21 nov 2022 a las 12:28, Juan Ignacio (<juan.ignacio.pazos at gmail.com>) escribi?:> Let me know if i can proceed. > > Or if i need to check any services or something else running on the New > Server before. > > Thx. > > El lun, 21 nov 2022 11:16, Juan Ignacio <juan.ignacio.pazos at gmail.com> > escribi?: > >> Ok is almost ready i think...., sharing the new server setup files and >> checking if everything looks good to join the domain. >> >> NewServer Setup Configs >>> >>> "/etc/network/interfaces" >>> >>> # The primary network interface >>> allow-hotplug ens18 >>> iface ens18 inet static >>> address 10.20.1.3 >>> netmask 255.255.0.0 >>> gateway 10.20.0.90 >>> dns-nameservers 10.20.1.6 200.40.220.245 >>> >>> Added as nameserver oldServerIPaddress >>> >>> ------------------------------------------------------ >>> >>> "/etc/resolv.conf" >>> >>> nameserver 10.20.1.6 ----------> Old Server DC IP >>> nameserver 200.40.220.245 >>> nameserver 200.40.30.245 >>> search ourdomain.org -----------> Domain >>> >>> ------------------------------------------------------- >>> "/etc/hostname" >>> dc2 -------> new dc hostname >>> >>> -------------------------------------------------------- >>> >>> "/etc/hosts" >>> 127.0.0.1 localhost >>> 127.0.1.1 dc2.ourdomain.org dc2 -----> NewDC >>> 10.20.1.6 dc1.ourdomain.org dc1 -----> Production DC >>> # The following lines are desirable for IPv6 capable hosts >>> ::1 localhost ip6-localhost ip6-loopback >>> ff02::1 ip6-allnodes >>> ff02::2 ip6-allrouters >>> >>> ----------------------------------------------------------- >>> >> >> If everything looks good i'm ready to join the domain. >> >> >> >> El lun, 21 nov 2022 a las 9:11, Rowland Penny via samba (< >> samba at lists.samba.org>) escribi?: >> >>> >>> >>> On 21/11/2022 11:38, Juan Ignacio wrote: >>> > I have read both emails carefully and I have some doubts. If I >>> remember >>> > correctly, changing the ip of an ad-dc samba caused problems for >>> clients >>> > to connect. >>> >>> It shouldn't, if it does, your dns is not setup corectly. >>> >>> > Can the new server that will replace the old one have a different IP >>> > from the one in production? >>> >>> Yes >>> >>> > I need to join the new one to the old one >>> > that is in production to be able to do an upgrade?, >>> >>> Yes >>> >>> did I understand >>> > correctly? How we transform the new one on a samba-ad-dc if it joins >>> as >>> > a DC. >>> >>> Not sure I understand that, a 'samba-ad-dc' is a DC, or are you >>> referring to the systemd service that starts a Samba AD DC ? >>> >>> If this is correct, which ip and hostname is recommended to be >>> > placed on this new server, any different from the old server? >>> >>> It doesn't matter what IP and short hostname you use on your new DC, >>> just so long as the IP is in the same subnet e.g, If your existing DC >>> has the ipaddress 192.168.1.2 , you could use 192.168.1.3 for your new >>> DC. >>> >>> > >>> > /"About the resolv.conf file... >>> > Ensure that the /etc/resolv.conf has only these lines >>> > search your.dns.domain >>> > nameserver YOUR.EXISTING.DC.IPADDRESS"/*(The new one or the old one.)?* >>> >>> Both, the existing DC should be like that now and your proposed new DC >>> should be the same to ensure that it can find the existing DC to join >>> the domain as a DC. Once the join has occurred, you need to change the >>> new DC's /etc/resolv.conf to use its own ipaddress as its nameserver >>> before you start Samba. >>> >>> / >>> > etc/hosts has 127.0.0.1 pointing to localhost and there is a line like >>> > this (replace with your information): >>> > the.computers.ipaddress the_computers_fqdn >>> the_computers_short_hostname/ >>> > (*old server or different information*) >>> >>> Lets say that your existing DC uses the ipaddress '192.168.1.2' , the >>> short hostname 'dc1' and the dns domain 'samdom.example.com' >>> >>> This would mean (ignoring the IPv6 lines, you can leave them as is), >>> your existing DC should have these lines: >>> >>> 127.0.0.1 localhost >>> 192.168.1.2 dc1.samdom.example.com dc1 >>> >>> Your new DC 'dc2' with ipaddress '192.168.1.3' , would be: >>> >>> 127.0.0.1 localhost >>> 192.168.1.3 dc2.samdom.example.com dc2 >>> >>> >>> > >>> > /etc/hostname should only contain the computers short hostname/.*(i >>> only >>> > have the computer short name of the server itself i think is correct.) >>> > * >>> > >>> > When you say computers, that confuses me a bit because I think that >>> more >>> > than one is plural Excuse so many doubts, but between the language and >>> > having done it so long ago I'm a little rusty. >>> >>> You can have more than one AD DC in an AD domain, in fact, multiple DC's >>> are better, they all hold the same data, apart from the FSMO roles and >>> they can be on any DC. >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>