Hai Stefan, Yes, its always better to ask the list, that way everybody can learn from it. ;-)> Do you think I will have to rejoin it to the domain?No i dont think so. Please note, o dont know anything about gentoo except that they have a good wiki/info pages. If this was debian, then in this case, what i would extra do here, run : samba -b and backup all folders of samba and any thing samba related. Export the installed packages list. Now if you install a new gentoo, import the packages list, and you need the same hostname and ip and the samba backup. The files : hosts resolv.conf nsswitch.conf, this is also a bit depending on the use and setup, but review these. ! Install a the new server, and only pull the packages from the server dont install yet. ! On debian thats apt-get install packages -d ( download only ) Place the backups on this server and now pull the network connection. Install all needed packages, stop samba, put the backup back, start samba. Reboot the server, "still network detached", review logs and clean up logs, powerdown. Power off the old server, so nothing is changed there, change the network cable to the new server, and power up new server. If the old server is only used for and with samba, above setups will give a clean installed server with an old samba upgraded. If moveing to a new isnt an option the make sure you do make a full system backup. Clone the harddisk to an other hdd, fasted with minimal chance on error when you restore. And this is an fast way to backup, i just attach a bit sata disk and clone the disk. The config below is really outdated yes. This is what i would start with. [global] netbios name = U1SECRETCUSTOMER netbios aliases = samba server string = U1SECRETCUSTOMER security = ads workgroup = SECRETCUSTOMER realm = SECRETCUSTOMER.INTRA domain master = no local master = no preferred master = no interfaces = 192.168.100.4/24 bind interfaces only = Yes idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config SECRETCUSTOMER : backend = rid idmap config SECRETCUSTOMER : range = 10000-20000 # depending on the samba version. You might need these. #idmap config SECRETCUSTOMER : unix_nss_info = yes #idmap config SECRETCUSTOMER : unix_primary_group = yes winbind use default domain = yes winbind nss info = template template homedir = /mnt/MSA2040/smb/Homes/%D/%U template shell = /bin/false vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes unix extensions = no follow symlinks= yes wide links= yes unix charset = iso8859-15 force unknown acl user = Yes load printers = no printcap name = /dev/null disable spoolss = yes # Audit settings vfs objects = full_audit full_audit:prefix = %u|%I|%S full_audit:failure = connect full_audit:success = mkdir rmdir write pwrite rename unlink chmod fchmod chown fchown ftruncate full_audit:facility = local5 full_audit:priority = notice Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Stefan G. Weichinger [mailto:lists at xunil.at] > Verzonden: dinsdag 29 mei 2018 18:32 > Aan: L.P.H. van Belle > Onderwerp: DM 3.6.25 -> 4.x > > > (should I ask that on the list?) > > thanks for a short feedback on this -> > > With june I get the job to admin a gentoo server with an old state of > software: > > samba-3.6.25 domain member server > > I told them that I want to update the whole box asap ... and I think > this won't be that much of a problem. > > Do you think I will have to rejoin it to the domain? > > I see some errors in the smb.conf already: > > > [global] > unix charset = iso8859-15 > > security = ads > realm = SECRETCUSTOMER.INTRA > #password server = 192.168.100.32 > workgroup = SECRETCUSTOMER > idmap uid = 10000 - 20000 > idmap gid = 10000 - 20000 > winbind enum users = yes > winbind enum groups = yes > winbind cache time = 10 > winbind use default domain = yes > template homedir = /mnt/MSA2040/smb/Homes/%D/%U > template shell = /bin/false > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yes > restrict anonymous = 2 > domain master = no > local master = no > preferred master = no > os level = 0 > invalid users = root bin daemon adm sync shutdown > halt mail news > uucp > obey pam restrictions = yes > debug level = 5 > > netbios name = U1SECRETCUSTOMER > netbios aliases = samba > server string = U1SECRETCUSTOMER > interfaces = 192.168.100.4/24 > bind interfaces only = Yes > map to guest = Bad User > name resolve order = wins lmhosts hosts bcast > wins support = Yes > # idmap config * : range > # idmap config * : backend = tdb > force unknown acl user = Yes > hosts allow = 10.98.1., 10.0.8., 192.168.1., 192.168.90., > 192.168.101, 192.168.100.5, 192.168.100.11, 192.168.100.13, > 192.168.100.30, 192.168.100.31, 192.168.100.32, 192.168.100.33, > 192.168.100.34, 192.168.100.35, 192.168.100.36, 192.168.100.37, > 192.168.100.38, 192.168.100.39, 192.168.100.50, 192.168.100.51, > 192.168.100.52, 192.168.100.53, 192.168.100.54, 192.168.100.55, > 192.168.100.56, 192.168.100.57, 192.168.100.58, 192.168.100.59, > 192.168.100.60, 192.168.100.61, 192.168.100.62, 192.168.100.63, > 192.168.100.64, 192.168.100.65, 192.168.100.66, 192.168.100.67, > 192.168.100.68, 192.168.100.69, 192.168.100.70, 192.168.100.71, > 192.168.100.72, 192.168.100.73, 192.168.100.74, 192.168.100.75, > 192.168.100.76, 192.168.100.77, 192.168.100.78, 192.168.100.79, > 192.168.100.80, 192.168.100.81, 192.168.100.82, 192.168.100.83, > 192.168.100.84, 192.168.100.85, 192.168.100.86, 192.168.100.87, > 192.168.100.88, 192.168.100.89, 192.168.100.90, 192.168.100.91, > 192.168.100.92, 192.168.100.93, 192.168.100.94, 192.168.100.95, > 192.168.100.96, 192.168.100.97, 192.168.100.98, 192.168.100.99, > 192.168.100.100, 192.168.100.101, 192.168.100.102, 192.168.100.103, > 192.168.100.104, 192.168.100.105, 192.168.100.106, 192.168.100.107, > 192.168.100.108, 192.168.100.109, 192.168.100.110, 192.168.100.111, > 192.168.100.112, 192.168.100.113, 192.168.100.114, 192.168.100.115, > 192.168.100.116, 192.168.100.117, 192.168.100.118, 192.168.100.119, > 192.168.100.120, 192.168.100.121, 192.168.100.122, 192.168.100.123, > 192.168.100.124, 192.168.100.125, 192.168.100.126, 192.168.100.127, > 192.168.100.128, 192.168.100.129, 192.168.100.130, 192.168.100.131, > 192.168.100.132, 192.168.100.133, 192.168.100.134, 192.168.100.135, > 192.168.100.136, 192.168.100.137, 192.168.100.138, 192.168.100.139, > 192.168.100.140, 192.168.100.141, 192.168.100.142, 192.168.100.143, > 192.168.100.144, 192.168.100.145, 192.168.100.146, 192.168.100.147, > 192.168.100.148, 192.168.100.149, 192.168.100.200, 192.168.100.203, > 192.168.100.204 > nt acl support = No > unix extensions = no > follow symlinks= yes > wide links= yes > > ########################################## > ## changes since 2016-02-11 ############## > ########################################## > # log level = 2 > load printers = no > printcap name = /dev/null > # Audit settings > vfs objects = full_audit > full_audit:prefix = %u|%I|%S > full_audit:failure = connect > #full_audit:success = connect disconnect opendir mkdir rmdir closedir > open close read pread write pwrite sendfile rename unlink chmod fchmod > chown fchown chdir ftruncate lock symlink readlink link mknod realpath > full_audit:success = mkdir rmdir write pwrite rename unlink > chmod fchmod chown fchown ftruncate > full_audit:facility = local5 > full_audit:priority = notice > >
Am 2018-05-30 um 09:21 schrieb L.P.H. van Belle:> Hai Stefan, > > Yes, its always better to ask the list, that way everybody can learn from it. ;-) > >> Do you think I will have to rejoin it to the domain? > No i dont think so.Good, I don't have the ADS-Admin-password (yet) ;-) I could ask them but for now it's better to not have to.> Please note, o dont know anything about gentoo except that they have a good wiki/info pages. > If this was debian, then in this case, what i would extra do here, run : > samba -b and backup all folders of samba and any thing samba related. > Export the installed packages list. > > Now if you install a new gentoo, import the packages list, and you need the same hostname and ip and the samba backup. > The files : hosts resolv.conf nsswitch.conf, this is also a bit depending on the use and setup, but review these. > > ! Install a the new server, and only pull the packages from the server dont install yet. ! > On debian thats apt-get install packages -d ( download only ) > > Place the backups on this server and now pull the network connection. > Install all needed packages, stop samba, put the backup back, start samba. > > Reboot the server, "still network detached", review logs and clean up logs, powerdown. > Power off the old server, so nothing is changed there, change the network cable to the new server, and power up new server. > If the old server is only used for and with samba, above setups will give a clean installed server with an old samba upgraded. > > If moveing to a new isnt an option the make sure you do make a full system backup. > Clone the harddisk to an other hdd, fasted with minimal chance on error when you restore. > And this is an fast way to backup, i just attach a bit sata disk and clone the disk.This will happen in place, no new hardware. We have backups on tapes everyday, that is part of my job as well.> The config below is really outdated yes. This is what i would start with. > > [global] > netbios name = U1SECRETCUSTOMER > netbios aliases = samba > server string = U1SECRETCUSTOMER > > security = ads > workgroup = SECRETCUSTOMER > realm = SECRETCUSTOMER.INTRA > > domain master = no > local master = no > preferred master = no > > interfaces = 192.168.100.4/24 > bind interfaces only = Yes > > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config SECRETCUSTOMER : backend = rid > idmap config SECRETCUSTOMER : range = 10000-20000 > > # depending on the samba version. You might need these. > #idmap config SECRETCUSTOMER : unix_nss_info = yes > #idmap config SECRETCUSTOMER : unix_primary_group = yes > > winbind use default domain = yes > > winbind nss info = template > template homedir = /mnt/MSA2040/smb/Homes/%D/%U > template shell = /bin/false > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > unix extensions = no > follow symlinks= yes > wide links= yes > unix charset = iso8859-15 > force unknown acl user = Yes > > load printers = no > printcap name = /dev/null > disable spoolss = yes > > # Audit settings > vfs objects = full_audit > full_audit:prefix = %u|%I|%S > full_audit:failure = connect > full_audit:success = mkdir rmdir write pwrite rename unlink chmod fchmod chown fchown ftruncate > full_audit:facility = local5 > full_audit:priority = noticeYes, thanks. The idmap stuff scares me the most ;-) I will see when to start that, I have to keep the downtime at minimum etc Would it make sense to do some intermediate step to a lower 4.x version or go straight from 3.6.25 to 4.8.2 ? Thanks, Stefan
> Would it make sense to do some intermediate step to a lower > 4.x version > or go straight from 3.6.25 to 4.8.2 ?This is a very big steps, i dont know that, my bigest was from 3.6 to 4.1 but that was long ago. I dont thinks its a problem but i hope someone else knows... And good to have your tape backups, then test the restore on a diffent machine. If you can do that, that you ok to go, if not, clone the harddisk, that also faster than the tape. Greetz, Louis
On Wed, 30 May 2018 09:48:04 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2018-05-30 um 09:21 schrieb L.P.H. van Belle: > > Hai Stefan, > > > > Yes, its always better to ask the list, that way everybody can > > learn from it. ;-) > > > >> Do you think I will have to rejoin it to the domain? > > No i dont think so. > > Good, I don't have the ADS-Admin-password (yet) ;-) > I could ask them but for now it's better to not have to. > > > Please note, o dont know anything about gentoo except that they > > have a good wiki/info pages. If this was debian, then in this case, > > what i would extra do here, run : samba -b and backup all folders > > of samba and any thing samba related. Export the installed packages > > list. > > > > Now if you install a new gentoo, import the packages list, and you > > need the same hostname and ip and the samba backup. The files : > > hosts resolv.conf nsswitch.conf, this is also a bit depending on > > the use and setup, but review these. > > > > ! Install a the new server, and only pull the packages from the > > server dont install yet. ! On debian thats apt-get install packages > > -d ( download only ) > > > > Place the backups on this server and now pull the network > > connection. Install all needed packages, stop samba, put the backup > > back, start samba. > > > > Reboot the server, "still network detached", review logs and clean > > up logs, powerdown. Power off the old server, so nothing is changed > > there, change the network cable to the new server, and power up new > > server. If the old server is only used for and with samba, above > > setups will give a clean installed server with an old samba > > upgraded. > > > > If moveing to a new isnt an option the make sure you do make a full > > system backup. Clone the harddisk to an other hdd, fasted with > > minimal chance on error when you restore. And this is an fast way > > to backup, i just attach a bit sata disk and clone the disk. > > This will happen in place, no new hardware. > We have backups on tapes everyday, that is part of my job as well.Make sure the backups contain everything but the OS, from my experience, tape backups only contain some of the data. Whilst we are talking about tape backups, hasn't anybody realised that tape backups are so last century and from my experience very unreliable.> > > > The config below is really outdated yes. This is what i would start > > with. > > > > [global] > > netbios name = U1SECRETCUSTOMER > > netbios aliases = samba > > server string = U1SECRETCUSTOMER > > > > security = ads > > workgroup = SECRETCUSTOMER > > realm = SECRETCUSTOMER.INTRA > > > > domain master = no > > local master = no > > preferred master = no > > > > interfaces = 192.168.100.4/24 > > bind interfaces only = Yes > > > > idmap config * : backend = tdb > > idmap config * : range = 2000-9999 > > idmap config SECRETCUSTOMER : backend = rid > > idmap config SECRETCUSTOMER : range = 10000-20000 > > > > # depending on the samba version. You might need these.You missed a line Louis ;-) # but only if you use the 'ad' backend> > #idmap config SECRETCUSTOMER : unix_nss_info = yes > > #idmap config SECRETCUSTOMER : unix_primary_group = yes > > > > winbind use default domain = yes > > > > winbind nss info = template > > template homedir = /mnt/MSA2040/smb/Homes/%D/%U > > template shell = /bin/falseTwo out of the three lines above are defaults> > > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > > > unix extensions = no > > follow symlinks= yes > > wide links= yes > > unix charset = iso8859-15 > > force unknown acl user = Yes > > > > load printers = no > > printcap name = /dev/null > > disable spoolss = yes > > > > # Audit settings > > vfs objects = full_audit > > full_audit:prefix = %u|%I|%S > > full_audit:failure = connect > > full_audit:success = mkdir rmdir write pwrite rename unlink > > chmod fchmod chown fchown ftruncate full_audit:facility = local5 > > full_audit:priority = notice > > Yes, thanks. > The idmap stuff scares me the most ;-)Why ? Once you get your head around it, you will probably wonder why yourself ;-)> > I will see when to start that, I have to keep the downtime at minimum > etc > > Would it make sense to do some intermediate step to a lower 4.x > version or go straight from 3.6.25 to 4.8.2 ?On a Unix domain member it won't make any difference, just go direct to 4.8.2 Rowland