samba - Feb 2019 - Upgrading Samba

Hello all,

I've planned to upgrade a Samba DC from 4.6.7 to 4.9.4 .
For that I will use the following method :

   - build a new DC from 4.9.4 sources (on CentOS 7)
   - join this new DC to the domain
   - transfer the FSMO roles from the old DC (4.6.7) to the new DC (4.9.4)
   - replicate the sysvoldir from old DC to new DC
   - demote the old DC
   - switch off the old DC

Since I prefer to ask before facing any problems, is there any issue I
should take care about ? Especially from 4.6 to 4.9 release , is there any
big changes or incompatibility that could be a potential source of
troubles (Kerberos ? default values ?) ?
Would 4.8.8 a better seamless option ?

The smb.conf of the old DC is :
# Global parameters
[global]
        netbios name = OLD-DC
        realm = MYDOM.MYCOMP.COM
        workgroup = MYDOM
        dns forwarder = 1.2.3.4
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = no
        ntlm auth = yes
        raw NTLMv2 auth = yes

[netlogon]
        path = /var/lib/samba/sysvol2/mydom.mycomp.com/scripts
        read only = No
        browseable = no

[sysvol]
        path = /var/lib/samba/sysvol2
        read only = No
        browseable = no

Thanks in advance for any advice.

Henri

On Wed, 6 Feb 2019 15:20:56 +0400
henri transfert via samba <samba at lists.samba.org> wrote:
> Hello all,
> 
> I've planned to upgrade a Samba DC from 4.6.7 to 4.9.4 .
STOP!

Do not do this directly, reports on here have shown that this will not
work.

You will have to 'walk' up the versions, it may work if you go to
4.8.3, then to 4.9.4, but you may have to go to 4.7.2 first.

> For that I will use the following method :
> 
>    - build a new DC from 4.9.4 sources (on CentOS 7)
Make sure you use Heimdal kerberos. not the Centos default MIT.
>    - join this new DC to the domain
>    - transfer the FSMO roles from the old DC (4.6.7) to the new DC
> (4.9.4)
>    - replicate the sysvoldir from old DC to new DC
>    - demote the old DC
>    - switch off the old DC
> 
> Since I prefer to ask before facing any problems, is there any issue I
> should take care about ? Especially from 4.6 to 4.9 release , is
> there any big changes or incompatibility that could be a potential
> source of troubles (Kerberos ? default values ?) ?
> Would 4.8.8 a better seamless option ?
> 
> The smb.conf of the old DC is :
> # Global parameters
> [global]
>         netbios name = OLD-DC
>         realm = MYDOM.MYCOMP.COM
>         workgroup = MYDOM
>         dns forwarder = 1.2.3.4
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         ldap server require strong auth = no
>         ntlm auth = yes
>         raw NTLMv2 auth = yes
Why are you still using the very insecure NTLMv1 ?
> 
> [netlogon]
>         path = /var/lib/samba/sysvol2/mydom.mycomp.com/scripts
>         read only = No
>         browseable = no
> 
> [sysvol]
>         path = /var/lib/samba/sysvol2
>         read only = No
>         browseable = no
Does anybody know where setting 'browseable = no' on 'netlogon'
&
'sysvol' came from ?
totally redundant, there is no netbios browsing on a Samba AD DC, it
isn't in 'nbt'.

Rowland

Thank you Rowland for your answer . 
I reply inline.
> 
> On Wed, 6 Feb 2019 15:20:56 +0400
> henri transfert via samba <samba at lists.samba.org> wrote:
> 
> > Hello all,
> >
> > I've planned to upgrade a Samba DC from 4.6.7 to 4.9.4 .
> 
> STOP!
> 
> Do not do this directly, reports on here have shown that this will not
work.
> 
> You will have to 'walk' up the versions, it may work if you go to
4.8.3, then to
> 4.9.4, but you may have to go to 4.7.2 first.
Ok thanks for the warning . What will not work exactly ? 

So , what is the recommended path to upgrade ? 
1) from 4.6.7 to 4.7.2 
2) then 4.7.2 to 4.8.3 
3) then 4.8.3 to 4.9.4  ?

Is there a doc on the wiki about this  ? 
> 
> 
> > For that I will use the following method :
> >
> >    - build a new DC from 4.9.4 sources (on CentOS 7)
> 
> Make sure you use Heimdal kerberos. not the Centos default MIT.
I assume Heimdal Kerberos is the one used in 4.6.7 . 
So I guess I will have to enforced Heimdal at compilation time
(--with-system-heimdalkrb5 ?) .
> 
> >    - join this new DC to the domain
> >    - transfer the FSMO roles from the old DC (4.6.7) to the new DC
> > (4.9.4)
> >    - replicate the sysvoldir from old DC to new DC
> >    - demote the old DC
> >    - switch off the old DC
> >
> > Since I prefer to ask before facing any problems, is there any issue I
> > should take care about ? Especially from 4.6 to 4.9 release , is there
> > any big changes or incompatibility that could be a potential source of
> > troubles (Kerberos ? default values ?) ?
> > Would 4.8.8 a better seamless option ?
> >
> > The smb.conf of the old DC is :
> > # Global parameters
> > [global]
> >         netbios name = OLD-DC
> >         realm = MYDOM.MYCOMP.COM
> >         workgroup = MYDOM
> >         dns forwarder = 1.2.3.4
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >         ldap server require strong auth = no
> >         ntlm auth = yes
> >         raw NTLMv2 auth = yes
> 
> Why are you still using the very insecure NTLMv1 ?
An old requirement due to old XP clients. I guess I could remove it.
> 
> >
> > [netlogon]
> >         path = /var/lib/samba/sysvol2/mydom.mycomp.com/scripts
> >         read only = No
> >         browseable = no
> >
> > [sysvol]
> >         path = /var/lib/samba/sysvol2
> >         read only = No
> >         browseable = no
> 
> Does anybody know where setting 'browseable = no' on
'netlogon' & 'sysvol'
> came from ?
> totally redundant, there is no netbios browsing on a Samba AD DC, it
isn't in
> 'nbt'.
If I remove "browsable=no" , I can see shares netlogon and sysvol if I
go to \\MY-SAMBA-DC .
I want them to be hidden. Something wrong here ? 

Thanks. 

Henri
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

> 
> So , what is the recommended path to upgrade ? 
> 1) from 4.6.7 to 4.7.2 
> 2) then 4.7.2 to 4.8.3 
> 3) then 4.8.3 to 4.9.4  ?
> 
It was bit of a search but i suggest you read : 
https://lists.samba.org/archive/samba/2018-December/220103.html 
[Samba] After upgrade to 4.9.4, internal DNS no longer working

And
https://lists.samba.org/archive/samba/2018-December/220194.html
[Samba] AD bind DNS broken after 4.7.3 -> 4.9.2 upgrade

And It's reported here. 
https://bugzilla.samba.org/show_bug.cgi?id=13760

I suggest, add you name to that bugreport 


Greetz, 

Louis

Hi Rowland,

On Wed, 6 Feb 2019, Rowland Penny via samba wrote:
> On Wed, 6 Feb 2019 15:20:56 +0400
> henri transfert via samba <samba at lists.samba.org> wrote:
>
>> Hello all,
>>
>> I've planned to upgrade a Samba DC from 4.6.7 to 4.9.4 .
>
> STOP!
>
> Do not do this directly, reports on here have shown that this will not
> work.
>
> You will have to 'walk' up the versions, it may work if you go to
> 4.8.3, then to 4.9.4, but you may have to go to 4.7.2 first.
If I have a domain running (2) 4.7.x DC's and I build 2 new DC's with
4.9.latest,
join the domain and make them DC's and then decommission the old DC's,
is that expected to work?

Regards,

-- 
Tom			me at tdiehl.org