On Sat Jan 28 02:37:16 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> On 28/01/2023 06:44, Mark Foley via samba wrote:
> > I wrote earlier about setting the domain user password minimum to >
14
> > characters. It was advised that my first step should be to upgrade
from Samba
> > 4.8.2 to the most recent version available which for my Slackware 15.0
distro is
> > 4.15.5. This also involved a distro upgrade from Slackware 14.2 to
15.0.
> >
> > After upgrading, just for the heck of it, I tried starting Samba
without
> > changing my 4.8.2 configs. Of course, that didn't work. My
initial error (of
> > several) in syslog was:
> >
> > Jan 28 00:42:52 mail krb5kdc[2725]: Cannot open DB2 database
'/var/kerberos/krb5kdc/principal': No such file or directory - while
initializing database for realm MYDOM.LOCAL
>
> That looks like you also installed a MIT kerberos server as well, a
> Samba domain usually uses the Heimdal kerberos server it comes with.
This DC was originally installed back in 2014 and perhaps that was what was
available then. I certainly didn't have the expertise to choose. Of course,
that
message (above) is from trying to run the new samba 4.15.5, not the old one.
I have routinely upgraded the OS including Samba since.
> > At that point I decided to read the Wiki:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Introduction
> >
> > Under "Only Applicable if Samba was Previously Installed",
it is telling me to
> > deleted all my carefully crafted config files and looks like it's
going to lead
> > me through the steps of re-provisioning.
> >
> > Before taking that step I thought I'd ask if I really need to do
that? Can I not
> > just install krb5, etc. and get there step-wise without redoing
especially my
> > /var/lib/samba/private/ named.conf and dns/ files, and
re-provisioning?
>
> That wiki page is indeed for setting up a new domain, to join another
> DC, you need this page:
>
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> But before you do anything, I would check if you are running a separate
> kdc and if you are, stop and remove it.
I'm certainly running some kerberos. My original provisioning gave the
message,
"A Kerberos configuration suitable for Samba 4 has been generated at
/var/lib/samba/private/krb5.conf"
My notes also say, "This Samba4 utilizes the Heimdal implementation of
Kerberos", so is it possible I am (or rather 'was') running
Heimdal? I also have
zone files showing "krb5 servers". And I do have a
/var/lib/samba/private/krb5.conf.
> I do hope you are doing this on a different machine to your existing DC.
>
> Rowland
Well, no -- same machine :) I did a complete backup so I can quickly put the old
DC back. This office doesn't have the resources to stage a new server, but
I'm
doing this over the weekend so not really interfering with important production.
I'm beginning to think I need to actually reprovision. Aside from the
kerberos question, I initially provisioned with --dns-backend=BIND9_FLATFILE,
which I believe is now deprecated. The FLATFILE was easy as I only needed minor
tweaks to a non-DC bind configuration. Probably I can't just install and
configure bits and pieces (like kerberos) and get this running using mostly
4.8.2 configs, right?
here's my original provision command:
/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 \
--server-role='dc' --realm=hprs.local --domain=HPRS \
--adminpass='password' --dns-backend=BIND9_FLATFILE \
--option="interfaces=lo eth1" --option="bind interfaces
only=yes"
Do you agree, or are there a few things I can do to make things work with
4.15.5?
Thanks --Mark