And (re)joining is not recommended ? There are so many services and computers connected to the samba server, which are not in my hand. Means after I upgraded all our 5 ADs I would have to inform many people about the new name and IP. Thanks
On Mon, 2019-08-26 at 06:54 +0200, gizmo via samba wrote:> And (re)joining is not recommended ?We do recommend it: ? https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC> There are so many services and computers connected to the samba server, which are not in my hand. > Means after I upgraded all our 5 ADs I would have to inform many people about the new name and IP.The identifier that Rowland is worried about in terms of replication behaviour is actually the invocationID, and we do not re-use that. This is actually a problem if this kind of re-join is done often/automated, as objects in AD keep a list of every DC that every existed on them! But for practical, humans scale operations it is fine. We delete all the other objects involved (server objects, DC objects etc). If something isn't being cleaned up then that's a bug, a rejoin with the same name is normal in Samba. I trust this clarifies things, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
> But for practical, humans scale operations it is fine. We delete all > the other objects involved (server objects, DC objects etc). If > something isn't being cleaned up then that's a bug, a rejoin with the > same name is normal in Samba.> I trust this clarifies things,Just to be 100% sure I got it, I can 1. stop all services on a DC 2. install a new OS and new samba version 3. join the DC with same name and IP again right ? thank you ?
Hai Andrew, I just tested this on 4.10.7 Which resulted in : ERROR(<class 'samba.join.DCJoinException'>): uncaught exception - Can't join, error: Not removing account DC1$ which looks like a Samba DC account matching the password we already have. To override, remove secrets.ldb and secrets.tdb The wiki does not say we have to remove the old the secrets. Report it as bug? Or add the info on the wiki to remove the secrets files? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > gizmo via samba > Verzonden: maandag 26 augustus 2019 13:15 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Upgrading samba and OS - can I rejoin ? > > > But for practical, humans scale operations it is fine. We delete all > > the other objects involved (server objects, DC objects etc). If > > something isn't being cleaned up then that's a bug, a > rejoin with the > > same name is normal in Samba. > > > I trust this clarifies things, > > Just to be 100% sure I got it, I can > > 1. stop all services on a DC > 2. install a new OS and new samba version > 3. join the DC with same name and IP again > > right ? > > thank you > > > > > ? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 26/08/2019 06:06, Andrew Bartlett via samba wrote:> On Mon, 2019-08-26 at 06:54 +0200, gizmo via samba wrote: >> And (re)joining is not recommended ? > We do recommend it: > https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC > >> There are so many services and computers connected to the samba server, which are not in my hand. >> Means after I upgraded all our 5 ADs I would have to inform many people about the new name and IP. > The identifier that Rowland is worried about in terms of replication > behaviour is actually the invocationID, and we do not re-use that. > This is actually a problem if this kind of re-join is done > often/automated, as objects in AD keep a list of every DC that every > existed on them! > > But for practical, humans scale operations it is fine. We delete all > the other objects involved (server objects, DC objects etc). If > something isn't being cleaned up then that's a bug, a rejoin with the > same name is normal in Samba. > > I trust this clarifies things, > > Andrew Bartlett >The problem is, if you try to join a DC with the same name as before, it doesn't work. You need to demote the existing DC and then remove ALL mention of it from AD, this isn't a Samba thing, it is an AD thing. From the numerous problems that have been posted on this list about trying to rejoin a D with an existing name, the fix is obvious, always use a new name. Rowland