samba - Apr 2023 - Samba shares and samba server residing on different physical machines

Hi fellow Members!I'm Systems administrator at a school using SAMBA 4 as AD
DC.
As you know, WIN11 is at the doorstep and my "old" Samba4 Server (4.9)
doesn't serve Windows Servers (Server 2019) very well,
e.g. the latest issue is that the domain administrator cannot access the
GPO's or other informations from the Samba-LDAP (authentication failure ?).
I think that it has possibly to do with the version of kerberos SAMBA 4.9 uses.I
installed SAMBA 4.9 on debian using its package.Now I want to upgrade to SAMBA
4.latest manually to be able to use patch-files being always up-to-date.
I was told to install SAMBA 4.latest on a different machine, join the domain, do
the provisioning, and shut down the old
server.My question is if I can keep all the shares and the respective data (we
have around 1200 users, using about 370 GB) on the "old" machine,
running only the AD DC and the new kerberos version compatible to WIN11 on the
"new" machine.
In future, I'd like to transfer SAMBA 4.latest back to the original machine,
restoring the status quo.
Any comments on my plans are welcome.
Edgar

On 21/04/2023 15:11, E Kogler via samba wrote:
> Hi fellow Members!I'm Systems administrator at a school using SAMBA 4
as AD DC.
> As you know, WIN11 is at the doorstep and my "old" Samba4 Server
(4.9) doesn't serve Windows Servers (Server 2019) very well,
> e.g. the latest issue is that the domain administrator cannot access the
GPO's or other informations from the Samba-LDAP (authentication failure ?).
Probably the new 'date' feature (where it went from 2038 to sometime 
never), you need Samba >= 4.16.0 running as a DC.
> I think that it has possibly to do with the version of kerberos SAMBA 4.9
uses.I installed SAMBA 4.9 on debian using its package.Now I want to upgrade to
SAMBA 4.latest manually to be able to use patch-files being always up-to-date.
It sounds like you need to upgrade your version of Debian as well, if 
you use Debian 11 and Samba from backports, this will get you 4.17.7
> I was told to install SAMBA 4.latest on a different machine, join the
domain, do the provisioning,
No, you cannot join as a DC AND provision, the latter will get you an 
entirely new AD domain
> and shut down the old
> server.
Install the latest Debian 11 and use backports, install Samba, configure 
the machine to be a DC and then join it to your existing AD domain as a 
DC, transfer the FSMO roles from the existing DC to the new DC, demote 
the old DC and turn it off.
> My question is if I can keep all the shares and the respective data (we
have around 1200 users, using about 370 GB) on the "old" machine,
Anything in the AD database should be replicated to the new DC, but it 
also sounds like you have been using the existing DC as a fileserver, 
something that Samba (or Microsoft) does not recommend.

My advice, if this is the case, join another new DC (for failover, the 
more DC's the better), then reconfigure the old, original DC as a Unix 
domain member and use it as a fileserver.
> running only the AD DC and the new kerberos version compatible to WIN11 on
the "new" machine.
> In future, I'd like to transfer SAMBA 4.latest back to the original
machine, restoring the status quo.
 From the sound of it, the 'status quo' isn't really good enough.

We will probably need more info to advise further.

Rowland