samba - Jun 2019 - Spring Cleanup / Migrating Samba 4.5 to 4.10

With some slight delay, we did actually manage to get all our old wonky
compatibility solutions nuked (turned out there were a few more lurking
in the shadows than expected?). Mail servers are no longer domain
joined, and unencrypted LDAP is finally gone, together with the terrible
PHP scripts that needed it.

Which allowed me to finally cleanup all the samba setups:

https://up.tao.at/u/samba/graz-file.2019-06-14T11:29:02+02:00.txt
https://up.tao.at/u/samba/villach-file.2019-06-14T11:29:02+02:00.txt

(File servers)

https://up.tao.at/u/samba/graz-dc-sem.2019-06-14T11:29:02+02:00.txt
https://up.tao.at/u/samba/graz-dc-1b.2019-06-14T11:29:02+02:00.txt
https://up.tao.at/u/samba/villach-dc-1a.2019-06-14T11:29:02+02:00.txt
https://up.tao.at/u/samba/villach-dc-bis.2019-06-14T11:29:02+02:00.txt

(DCs)

Hopefully, all the configurations should be clean now, or did I miss
something?

As for upgrading to Samba 4.10, in what order should the servers be
upgraded? Members first? Update DC withous FSMO roles, move FSMO roles
to one of them, then update the old FSMO holder last?

-- 
Mit freundlichen Gr??en, / Best Regards,
Sven Schwedas, Systemadministrator
? sven.schwedas at tao.at | ? +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190614/8669a9c6/signature.sig>

Hi Sven, 

I had a quick look and its much better. Few small points. 

For the members. 
This might be a choice, but on the fileservers, the loggings is a bit difference
still.
And krb5-locales is on one but not the other. 

Last i see, there is no user mapping file for the members. 
Which normaly have !root = DOM\Administrator
( or BUILTIN\Administrator, depending on you setup )
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User

On the DC's. 
Turn this off : dsdb:schema update allowed = true 
This is only needed if you change/import the schema. 
And krb5-locales is on one but not the other. 
Or remove from all, or add to all, if you dont use it, i suggest remove it. 

For the upgrade path. 
Read:   https://wiki.samba.org/index.php/Updating_Samba
And this text file shows some good debian specific info
http://downloads.van-belle.nl/samba4/Upgrade-info.txt 
Some parts are already fixed, but its mainly making sure the smb.conf is correct
for the version your upgradeing to.
>From 4.5, i suggest, goto 4.8 then 4.9 then 4.10, if you follow my repo. 
Its the safest upgrade path as far i know. ( official or my repo )

If you want to follow debian official repo, then i suggest, stay on 4.5 or
upgrade to 4.8 (my repo) until Debian Buster is released.
Thats because my 4.9 version is higher then Debian Official. 

I personaly do the DC with FSMO roles always first, after the samba upgrade i
wait about 5 min,
this depends a bit on the AD-DB size/replication time, then reboot the server.
Then i do the other DC, same steps.

One thing i do advice before you upgrade. Stongly adviced.

Backup samba AD-DC and copy : /etc/samba /var/lib/samba /var/cache/samba

On the members, 
If you use backen RID, then do the samba on the members. 
For backen AD i dont do that, but its still adviced to do also. 
You on backend AD with the members, so your choice.. what to backup. 
Paths are the same as the AD-DC folders. (/etc/samba /var/lib/samba
/var/cache/samba /etc/krb5.keytab )

If you have these folders, you can always downgrade, stop samba, restore above
folders and start again.

I make snapshots of my complete server, so my backup strategy is a bit
different.


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven 
> Schwedas via samba
> Verzonden: vrijdag 14 juni 2019 12:21
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Spring Cleanup / Migrating Samba 4.5 to 4.10
> 
> With some slight delay, we did actually manage to get all our 
> old wonky
> compatibility solutions nuked (turned out there were a few 
> more lurking
> in the shadows than expected?). Mail servers are no longer domain
> joined, and unencrypted LDAP is finally gone, together with 
> the terrible
> PHP scripts that needed it.
> 
> Which allowed me to finally cleanup all the samba setups:
> 
> https://up.tao.at/u/samba/graz-file.2019-06-14T11:29:02+02:00.txt
> https://up.tao.at/u/samba/villach-file.2019-06-14T11:29:02+02:00.txt
> 
> (File servers)
> 
> https://up.tao.at/u/samba/graz-dc-sem.2019-06-14T11:29:02+02:00.txt
> https://up.tao.at/u/samba/graz-dc-1b.2019-06-14T11:29:02+02:00.txt
> https://up.tao.at/u/samba/villach-dc-1a.2019-06-14T11:29:02+02:00.txt
> https://up.tao.at/u/samba/villach-dc-bis.2019-06-14T11:29:02+02:00.txt
> 
> (DCs)
> 
> Hopefully, all the configurations should be clean now, or did I miss
> something?
> 
> As for upgrading to Samba 4.10, in what order should the servers be
> upgraded? Members first? Update DC withous FSMO roles, move FSMO roles
> to one of them, then update the old FSMO holder last?
> 
> -- 
> Mit freundlichen Gr??en, / Best Regards,
> Sven Schwedas, Systemadministrator
> ??? sven.schwedas at tao.at | ??? +43 680 301 7167
> TAO Digital   | Teil der TAO Beratungs- & Management GmbH
> Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
> A8020 Graz    | https://www.tao-digital.at
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...
> For the upgrade path. 
> Read:   https://wiki.samba.org/index.php/Updating_Samba
> And this text file shows some good debian specific info
> http://downloads.van-belle.nl/samba4/Upgrade-info.txt 
> Some parts are already fixed, but its mainly making sure the smb.conf is
correct for the version your upgradeing to.
> 
> >From 4.5, i suggest, goto 4.8 then 4.9 then 4.10, if you follow my
repo.
> Its the safest upgrade path as far i know. ( official or my repo )
> 
> If you want to follow debian official repo, then i suggest, stay on 4.5 or
upgrade to 4.8 (my repo) until Debian Buster is released.
> Thats because my 4.9 version is higher then Debian Official. 
> 
> I personaly do the DC with FSMO roles always first, after the samba upgrade
i wait about 5 min,
> this depends a bit on the AD-DB size/replication time, then reboot the
server.
> Then i do the other DC, same steps.
I'm a bit confused. In past month many users write here about DB
corruption on upgrade (to 4.9 atleast).
Probably i get lost, but i was convinced that the best upgrade path
was, as Sven wrote, was uninstall samba and rejoin it (migrating FSMO
roles as needed).


So, a direct upgrade to 4.8 can be done? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On 14.06.19 14:06, L.P.H. van Belle via samba wrote:
> Hi Sven, 
> 
> I had a quick look and its much better. Few small points. 
> 
> For the members. 
> This might be a choice, but on the fileservers, the loggings is a bit
difference still.
> And krb5-locales is on one but not the other. 
> 
> Last i see, there is no user mapping file for the members. 
> Which normaly have !root = DOM\Administrator
> ( or BUILTIN\Administrator, depending on you setup )
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User
I'll take a look at that.
> On the DC's. 
> Turn this off : dsdb:schema update allowed = true 
> This is only needed if you change/import the schema. 
We did do changes to schema, to allow handling advanced mailing
configurations for our Cyrus setup, but we don't plan any further
changes now. So we can disable it without touching these changes?
> And krb5-locales is on one but not the other. 
> Or remove from all, or add to all, if you dont use it, i suggest remove it.
Right, that's just an artifact of how the servers were set up. Will
clean that up.
> For the upgrade path. 
> Read:   https://wiki.samba.org/index.php/Updating_Samba
> And this text file shows some good debian specific info
> http://downloads.van-belle.nl/samba4/Upgrade-info.txt 
> Some parts are already fixed, but its mainly making sure the smb.conf is
correct for the version your upgradeing to.
> 
> From 4.5, i suggest, goto 4.8 then 4.9 then 4.10, if you follow my repo. 
> Its the safest upgrade path as far i know. ( official or my repo )
Alright, sounds good. Will probably stick with your repo, might as well.
> If you want to follow debian official repo, then i suggest, stay on 4.5 or
upgrade to 4.8 (my repo) until Debian Buster is released.
> Thats because my 4.9 version is higher then Debian Official. 
> 
> I personaly do the DC with FSMO roles always first, after the samba upgrade
i wait about 5 min,
> this depends a bit on the AD-DB size/replication time, then reboot the
server.
> Then i do the other DC, same steps.
How would I make sure that the AD DB is replicated? Check the time
stamps of `samba-tool drs showrepl` ?
> One thing i do advice before you upgrade. Stongly adviced.
> 
> Backup samba AD-DC and copy : /etc/samba /var/lib/samba /var/cache/samba
> 
> On the members, 
> If you use backen RID, then do the samba on the members. 
> For backen AD i dont do that, but its still adviced to do also. 
> You on backend AD with the members, so your choice.. what to backup. 
> Paths are the same as the AD-DC folders. (/etc/samba /var/lib/samba
/var/cache/samba /etc/krb5.keytab )
> 
> If you have these folders, you can always downgrade, stop samba, restore
above folders and start again.
> 
> I make snapshots of my complete server, so my backup strategy is a bit
different.
We use ZFS snapshots for backups and replication, so we have those anyway.
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven 
>> Schwedas via samba
>> Verzonden: vrijdag 14 juni 2019 12:21
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Spring Cleanup / Migrating Samba 4.5 to 4.10
>>
>> With some slight delay, we did actually manage to get all our 
>> old wonky
>> compatibility solutions nuked (turned out there were a few 
>> more lurking
>> in the shadows than expected?). Mail servers are no longer domain
>> joined, and unencrypted LDAP is finally gone, together with 
>> the terrible
>> PHP scripts that needed it.
>>
>> Which allowed me to finally cleanup all the samba setups:
>>
>> https://up.tao.at/u/samba/graz-file.2019-06-14T11:29:02+02:00.txt
>> https://up.tao.at/u/samba/villach-file.2019-06-14T11:29:02+02:00.txt
>>
>> (File servers)
>>
>> https://up.tao.at/u/samba/graz-dc-sem.2019-06-14T11:29:02+02:00.txt
>> https://up.tao.at/u/samba/graz-dc-1b.2019-06-14T11:29:02+02:00.txt
>> https://up.tao.at/u/samba/villach-dc-1a.2019-06-14T11:29:02+02:00.txt
>> https://up.tao.at/u/samba/villach-dc-bis.2019-06-14T11:29:02+02:00.txt
>>
>> (DCs)
>>
>> Hopefully, all the configurations should be clean now, or did I miss
>> something?
>>
>> As for upgrading to Samba 4.10, in what order should the servers be
>> upgraded? Members first? Update DC withous FSMO roles, move FSMO roles
>> to one of them, then update the old FSMO holder last?
>>
>> -- 
>> Mit freundlichen Gr??en, / Best Regards,
>> Sven Schwedas, Systemadministrator
>> ??? sven.schwedas at tao.at | ??? +43 680 301 7167
>> TAO Digital   | Teil der TAO Beratungs- & Management GmbH
>> Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
>> A8020 Graz    | https://www.tao-digital.at
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> 
> 
-- 
Mit freundlichen Gr??en, / Best Regards,
Sven Schwedas, Systemadministrator
? sven.schwedas at tao.at | ? +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190614/92323b67/signature.sig>

Hai Marco, 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 14 juni 2019 14:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Spring Cleanup / Migrating Samba 4.5 to 4.10
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > For the upgrade path. 
> > Read:   https://wiki.samba.org/index.php/Updating_Samba
> > And this text file shows some good debian specific info
> > http://downloads.van-belle.nl/samba4/Upgrade-info.txt 
> > Some parts are already fixed, but its mainly making sure 
> the smb.conf is correct for the version your upgradeing to. 
> > 
> > >From 4.5, i suggest, goto 4.8 then 4.9 then 4.10, if you 
> follow my repo. 
> > Its the safest upgrade path as far i know. ( official or my repo )
> > 
> > If you want to follow debian official repo, then i suggest, 
> stay on 4.5 or upgrade to 4.8 (my repo) until Debian Buster 
> is released. 
> > Thats because my 4.9 version is higher then Debian Official. 
> > 
> > I personaly do the DC with FSMO roles always first, after 
> the samba upgrade i wait about 5 min, 
> > this depends a bit on the AD-DB size/replication time, then 
> reboot the server.
> > Then i do the other DC, same steps.
> 
> I'm a bit confused. In past month many users write here about DB
> corruption on upgrade (to 4.9 atleast).
> Probably i get lost, but i was convinced that the best upgrade path
> was, as Sven wrote, was uninstall samba and rejoin it (migrating FSMO
> roles as needed).
Well, i did upgraded all the way up to 4.10, without uninstalling. 
And yes, correct, if you upgraded from 4.6-4.7 to 4.9. then you had DB error,
that should be fixed now.
But i still advice the step 4.8, why, just because i know that works fine. 
:-) 

Ps source fix: 
https://wiki.samba.org/index.php/Samba_4.9_Features_added/changed#Samba_4.9.4
BUG #13760: Fix upgrade from 4.7 (or earlier) to 4.9. 

> 
> 
> So, a direct upgrade to 4.8 can be done? Thanks.
Yes, just make user you smb.conf is correct and adjusted for 4.8 ... 
BEFORE you upgrade, that will save you some hassle. 
This applies for every major upgrade as in 4.5 to 4.6 or 4.8 to 4.9 ..
Any 4.x. to other 4.x.

And ... Brrr.. Italy was much better weather..  I went from 32c to 15c.. 
But i was good.. 

Greetz, 

Louis

Hai, 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven 
> Schwedas via samba
> Verzonden: vrijdag 14 juni 2019 14:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Spring Cleanup / Migrating Samba 4.5 to 4.10
> 
> On 14.06.19 14:06, L.P.H. van Belle via samba wrote:
> > Hi Sven, 
> > 
> > I had a quick look and its much better. Few small points. 
> > 
> > For the members. 
> > This might be a choice, but on the fileservers, the 
> loggings is a bit difference still. 
> > And krb5-locales is on one but not the other. 
> > 
> > Last i see, there is no user mapping file for the members. 
> > Which normaly have !root = DOM\Administrator
> > ( or BUILTIN\Administrator, depending on you setup )
> > 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_
> Member#Mapping_the_Domain_Administrator_Account_to_the_Local_r
> oot_User 
> 
> I'll take a look at that.
> 
> > On the DC's. 
> > Turn this off : dsdb:schema update allowed = true 
> > This is only needed if you change/import the schema. 
> 
> We did do changes to schema, to allow handling advanced mailing
> configurations for our Cyrus setup, but we don't plan any further
> changes now. So we can disable it without touching these changes?
Yes, correct. 
> 
> > And krb5-locales is on one but not the other. 
> > Or remove from all, or add to all, if you dont use it, i 
> suggest remove it. 
> 
> Right, that's just an artifact of how the servers were set up. Will
> clean that up.
> 
> > For the upgrade path. 
> > Read:   https://wiki.samba.org/index.php/Updating_Samba
> > And this text file shows some good debian specific info
> > http://downloads.van-belle.nl/samba4/Upgrade-info.txt 
> > Some parts are already fixed, but its mainly making sure 
> the smb.conf is correct for the version your upgradeing to. 
> > 
> > From 4.5, i suggest, goto 4.8 then 4.9 then 4.10, if you 
> follow my repo. 
> > Its the safest upgrade path as far i know. ( official or my repo )
> 
> Alright, sounds good. Will probably stick with your repo, 
> might as well. 
> 
> > If you want to follow debian official repo, then i suggest, 
> stay on 4.5 or upgrade to 4.8 (my repo) until Debian Buster 
> is released. 
> > Thats because my 4.9 version is higher then Debian Official. 
> > 
> > I personaly do the DC with FSMO roles always first, after 
> the samba upgrade i wait about 5 min, 
> > this depends a bit on the AD-DB size/replication time, then 
> reboot the server.
> > Then i do the other DC, same steps.
> 
> How would I make sure that the AD DB is replicated? Check the time
> stamps of `samba-tool drs showrepl` ?
Yes, just run the replication check, and i often just watch "top" 
And wait untill samba its CPU load drops to 0. then i do the other. 
And before you start, as shown on the wiki page, samba-tool dbcheck 
First fix things then upgrade. 
> 
> > One thing i do advice before you upgrade. Stongly adviced.
> > 
> > Backup samba AD-DC and copy : /etc/samba /var/lib/samba 
> /var/cache/samba
> > 
> > On the members, 
> > If you use backen RID, then do the samba on the members. 
> > For backen AD i dont do that, but its still adviced to do also. 
> > You on backend AD with the members, so your choice.. what 
> to backup. 
> > Paths are the same as the AD-DC folders. (/etc/samba 
> /var/lib/samba /var/cache/samba /etc/krb5.keytab )
> > 
> > If you have these folders, you can always downgrade, stop 
> samba, restore above folders and start again. 
> > 
> > I make snapshots of my complete server, so my backup 
> strategy is a bit different. 
> 
> We use ZFS snapshots for backups and replication, so we have 
> those anyway.
Ah, thats good, that saves time if things go wrong.

Greetz, 

Louis