L.P.H. van Belle
2019-Jul-29 09:24 UTC
[Samba] Upgrading your Samba AD-DC from Stretch to Buster, used samba 4.10.6.
Hai guys, After a few messages on the list on Buster, i decided to upgrade one of my production AD-DC's and see what happens. If noticed a few things here, so here are the steps and changes i made to upgrade and have a correct working AD-DC after the upgrade. Setup is as followed: Debian Stretch AD-DC with Bind9 DLZ and ntp time. This is still the base i used for my AD-DC https://github.com/thctlo/samba4/blob/master/howtos/stretch-base-2.0-samba-minimal-ad.txt Upgrade steps. 1) change you sources files. sed -i 's/stretch/buster/g' /etc/apt/sources.list # If you use my sources also. sed -i 's/stretch/buster/g' /etc/apt/sources.list.d/van-belle.list 2) Get updated files. apt update apt dist-upgrade -dy -dy ( download and yes), this only fetches the packages to your server. 3) Install updated files apt dist-upgrade --autoremove -y And wait for it all to be upgraded. 4) change BIND9 If you use bind9_dlz, change the bind9 backend version. # disable bind 9.10 sed -i 's/database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_10/\# database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_10/g' /var/lib/samba/bind-dns/named.conf # enable bind 9.11 sed -i 's/# database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_11/\database \"dlopen \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_11/g' /var/lib/samba/bind-dns/named.conf And this is my new config for bind9.11 on Buster, few changes are needed. ## Config Begin. acl thisserverip { // ip of this AD-DC server. 192.168.1.2; }; acl all-networks { # define all you networks here in CIDR format 192.168.1.0/24; }; options { directory "/var/cache/bind"; version "Go Away 0.0.7"; dnssec-validation no; // Disabled forwarders for now, //In attempt to stop this in the logs: "resolver: info: resolver priming query complete log messages." // Which worked in the end :-) for the config. //forwarders { 62.212.131.101; 62.212.128.130; 8.8.8.8; //}; auth-nxdomain yes; // Default is no, but this server IS the autoritive server if you zones. listen-on-v6 { "none"; }; // i dont use ipv6 on my AD-DC. listen-on port 53 { "thisserverip"; 127.0.0.1; }; notify no; // After upgrade from stretch to buster, i've added. minimal-responses yes; // In attempt to stop this in the logs: "resolver: info: resolver priming query complete log messages." // see also : https://gitlab.isc.org/isc-projects/bind9/issues/752 empty-zones-enable yes; // enable this if you see : RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" in you logs. allow-query { "all-networks"; 127.0.0.1/32; }; // added In attempt to stop this in the logs: "resolver: info: resolver priming query complete log messages." allow-query-cache { "all-networks"; 127.0.0.1/32; }; allow-recursion { "all-networks"; 127.0.0.1/32; }; // NOTE, samba 4.9+ used /var/lib/samba/bind-dns tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; }; include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; }; ## Config END. Above config resulted in a correct working dns again. 5) update the root DNS hints. dig www.oneinternetsite.com +trace 6) And if you dont changed you systemd startup for samba-ad-dc and bind9 , i suggest do so. systemctl edit samba-ad-dc and add: [Unit] After=network.target network-online.target bind9.service systemctl edit bind9 [Service] ExecReload 7) reboot. Check logs and this should result in a correctly running samba-ad-dc again. And no errors in your loggings. You might see one, thats might be ntp, give it time to updates/sync time again. I hope this helps some people. Greetz, Louis
Sven Schwedas
2019-Jul-29 09:30 UTC
[Samba] Upgrading your Samba AD-DC from Stretch to Buster, used samba 4.10.6.
So, with internal DNS backend, no manual changes are necessary and it's a straight apt dist-upgrade? -- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas, Systemadministrator ? sven.schwedas at tao.at | ? +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190729/f8ac75bc/signature.sig>
L.P.H. van Belle
2019-Jul-29 09:42 UTC
[Samba] Upgrading your Samba AD-DC from Stretch to Buster, used samba 4.10.6.
Hai, As far im see-ing and can tell, yes. If you upgrade and you see something about jessie certificates. Install new (I) All other questions i got after that, i did keep the defaults. Just make sure everything is running without errors at boot on Stretch, and then upgrade, i've just done the othere DC's also, took me about 5 min per DC, which was mostly downloading and installing time. If you hit errors somewhere, just mail the list, i keep an eye on it. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven > Schwedas via samba > Verzonden: maandag 29 juli 2019 11:30 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Upgrading your Samba AD-DC from > Stretch to Buster, used samba 4.10.6. > > So, with internal DNS backend, no manual changes are > necessary and it's a straight apt dist-upgrade? > > -- > Mit freundlichen Gr??en, / Best Regards, > Sven Schwedas, Systemadministrator > ??? sven.schwedas at tao.at | ??? +43 680 301 7167 > TAO Digital | Teil der TAO Beratungs- & Management GmbH > Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach > A8020 Graz | https://www.tao-digital.at > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >