On 4/5/20 7:14 PM, Rowland penny via samba wrote:> On 05/04/2020 17:47, Arne Zachlod via samba wrote: >> Hello, >> >> I'm currently in the process of updating our Samba environment from >> 4.3 to 4.11. Looks like I did something wrong. Some pointers would be >> much appreciated. >> >> Since I wanted to migrate from Ubuntu to Debian anyway, I decided to >> not upgrade in place, but instead create new VMs, join them and then >> remove the old 4.3 ones. Everything went well until I also wanted to >> transfer FSMO roles to a new VM. >> >> Since 'samba-tool fsmo transfer --role=all' didn't work, I decided to >> use seize instead. There was no error output other than the expected >> error that the transfer didn't work and I shut the old FSMO master DC >> down. >> >> So, now nothing really works as expected: the other DCs didn't get the >> memo to change to the new FSMO master DC and I cant find any >> documentation on how to change that by hand. >> >> Also, drs showrepl request take forever to finish on the now >> disconnected DCs while they just timeout on the FSMO master. > > Hmm, 4.3.x to 4.11.0, are smbd & winbind running, or is just samba > running ?Samba, winbind and smbd are all running.> > Your new DC could be re-indexing, if so just wait.How can I verify this? The Domain isn't very big, sub 100 PCs and roughly the same amount of users, so I expect it shouldn't take very long. Arne
On 05/04/2020 18:47, Arne Zachlod via samba wrote:> On 4/5/20 7:14 PM, Rowland penny via samba wrote: >> On 05/04/2020 17:47, Arne Zachlod via samba wrote: >>> Hello, >>> >>> I'm currently in the process of updating our Samba environment from >>> 4.3 to 4.11. Looks like I did something wrong. Some pointers would >>> be much appreciated. >>> >>> Since I wanted to migrate from Ubuntu to Debian anyway, I decided to >>> not upgrade in place, but instead create new VMs, join them and then >>> remove the old 4.3 ones. Everything went well until I also wanted to >>> transfer FSMO roles to a new VM. >>> >>> Since 'samba-tool fsmo transfer --role=all' didn't work, I decided >>> to use seize instead. There was no error output other than the >>> expected error that the transfer didn't work and I shut the old FSMO >>> master DC down. >>> >>> So, now nothing really works as expected: the other DCs didn't get >>> the memo to change to the new FSMO master DC and I cant find any >>> documentation on how to change that by hand. >>> >>> Also, drs showrepl request take forever to finish on the now >>> disconnected DCs while they just timeout on the FSMO master. >> >> Hmm, 4.3.x to 4.11.0, are smbd & winbind running, or is just samba >> running ? > > Samba, winbind and smbd are all running. > >> >> Your new DC could be re-indexing, if so just wait. > > How can I verify this? The Domain isn't very big, sub 100 PCs and > roughly the same amount of users, so I expect it shouldn't take very > long. > > Arne >run 'ps ax' in a terminal on the DC, if you can only see 'samba' as a running process (no smbd and winbind processes), then it is re-indexing. Yes, it should be quick, but something went wrong the first time I tried it and it took sometime. Rowland
Hi Arne, Le 05/04/2020 ? 19:47, Arne Zachlod via samba a ?crit?:> On 4/5/20 7:14 PM, Rowland penny via samba wrote: >> On 05/04/2020 17:47, Arne Zachlod via samba wrote: >>> Hello, >>> >>> I'm currently in the process of updating our Samba environment from >>> 4.3 to 4.11. Looks like I did something wrong. Some pointers would be >>> much appreciated. >>> >>> Since I wanted to migrate from Ubuntu to Debian anyway, I decided to >>> not upgrade in place, but instead create new VMs, join them and then >>> remove the old 4.3 ones. Everything went well until I also wanted to >>> transfer FSMO roles to a new VM. >>> >>> Since 'samba-tool fsmo transfer --role=all' didn't work, I decided to >>> use seize instead. There was no error output other than the expected >>> error that the transfer didn't work and I shut the old FSMO master DC >>> down. >>> >>> So, now nothing really works as expected: the other DCs didn't get >>> the memo to change to the new FSMO master DC and I cant find any >>> documentation on how to change that by hand. >>> >>> Also, drs showrepl request take forever to finish on the now >>> disconnected DCs while they just timeout on the FSMO master. >> >> Hmm, 4.3.x to 4.11.0, are smbd & winbind running, or is just samba >> running ? > > Samba, winbind and smbd are all running. > >> >> Your new DC could be re-indexing, if so just wait. > > How can I verify this? The Domain isn't very big, sub 100 PCs and > roughly the same amount of users, so I expect it shouldn't take very long.First you should double check your dns configuration (/etc/resolv.conf and /etc/krb5.conf). If you are using bind-dlz double check that is it really started. In more recent version it does not startup if there is on NS record in every zone (which include reverse zones). For the seize command I think there is a --force option, otherwise it starts with a transfer that may timeout first before really sizing the roles. You'll have to do a dbcheck --cross-ncs --fix --yes (after doing backup) to fix everything that has been corrected since 4.3. You may check that you don't have leftover from old DCs in sites and services and then force a samba_kcc. Cheers, Denis> > Arne >
On 05/04/2020 19:02, Denis CARDON via samba wrote:> > > First you should double check your dns configuration (/etc/resolv.conf > and /etc/krb5.conf). If you are using bind-dlz double check that is it > really started. In more recent version it does not startup if there is > on NS record in every zone (which include reverse zones).Check /var/log/syslog, it will tell you if Bind9 started or not.> > For the seize command I think there is a --force option, otherwise it > starts with a transfer that may timeout first before really sizing the > roles.Yes, there is a '--force' option and transfer is attempted first and it will probably always fail because nobody ever supplies a username and password and you need them to transfer the dns fsmo roles. Rowland
On 4/5/20 8:02 PM, Denis CARDON via samba wrote:> Hi Arne, > > Le 05/04/2020 ? 19:47, Arne Zachlod via samba a ?crit?: >> On 4/5/20 7:14 PM, Rowland penny via samba wrote: >>> On 05/04/2020 17:47, Arne Zachlod via samba wrote: >>>> Hello, >>>> >>>> I'm currently in the process of updating our Samba environment from >>>> 4.3 to 4.11. Looks like I did something wrong. Some pointers would >>>> be much appreciated. >>>> >>>> Since I wanted to migrate from Ubuntu to Debian anyway, I decided to >>>> not upgrade in place, but instead create new VMs, join them and then >>>> remove the old 4.3 ones. Everything went well until I also wanted to >>>> transfer FSMO roles to a new VM. >>>> >>>> Since 'samba-tool fsmo transfer --role=all' didn't work, I decided >>>> to use seize instead. There was no error output other than the >>>> expected error that the transfer didn't work and I shut the old FSMO >>>> master DC down. >>>> >>>> So, now nothing really works as expected: the other DCs didn't get >>>> the memo to change to the new FSMO master DC and I cant find any >>>> documentation on how to change that by hand. >>>> >>>> Also, drs showrepl request take forever to finish on the now >>>> disconnected DCs while they just timeout on the FSMO master. >>> >>> Hmm, 4.3.x to 4.11.0, are smbd & winbind running, or is just samba >>> running ? >> >> Samba, winbind and smbd are all running. >> >>> >>> Your new DC could be re-indexing, if so just wait. >> >> How can I verify this? The Domain isn't very big, sub 100 PCs and >> roughly the same amount of users, so I expect it shouldn't take very >> long. > > First you should double check your dns configuration (/etc/resolv.conf > and /etc/krb5.conf). If you are using bind-dlz double check that is it > really started. In more recent version it does not startup if there is > on NS record in every zone (which include reverse zones).I'm using the samba internal DNS, so no bind. I checked with ss, and samba is running on port 53 as well, so it seems thats working correctly.> > For the seize command I think there is a --force option, otherwise it > starts with a transfer that may timeout first before really sizing the > roles.the transfer worked, I don't have the output anymore, but the transfer timed out and then the seize worked correctrly, but the other DCs don't know that the FSMO role went to the other DC, so one question is how I can fix that?> > You'll have to do a dbcheck --cross-ncs --fix --yes (after doing backup) > to fix everything that has been corrected since 4.3. > > You may check that you don't have leftover from old DCs in sites and > services and then force a samba_kcc. > > Cheers, > > Denis >Thank you so much for your suggestions Arne