samba - Sep 2021 - Upgrade old infrastructure running 4.3 (and 4.13)

Hai, 

What you can try is, 
Login on 4.13 server and Seize the roles

samba-tool fsmo seize -h
Usage: samba-tool fsmo seize [options]

Options:
  -h, --help            show this help message and exit
  -H URL, --URL=URL     LDB URL for database or target server
  --force               Force seizing of role without attempting to transfer.
  --role=ROLE           The FSMO role to seize or transfer.
                        rid=RidAllocationMasterRole  schema=SchemaMasterRole
                        pdc=PdcEmulationMasterRole
                        naming=DomainNamingMasterRole
                        infrastructure=InfrastructureMasterRole
                        domaindns=DomainDnsZonesMasterRole
                        forestdns=ForestDnsZonesMasterRole  all=all of the
                        above  You must provide an Admin user and password.

But beware, there is one big pitfall you MUST take account off. 
Some older samba version gave wrong timestamps in the DNS entries. 
Check this first. 

Because if you enable scaveging, you might loose important DNS entries. 
Which is why i cant use scaveging, untill i've manually fixed all records.

See : https://bugzilla.samba.org/show_bug.cgi?id=12451 

Its pretty easy to see if you have this problem. 
Lookup all you server DNS entries, do they show a timestamps or
"static"
Or, like i use lots of CNAME entries.. You can see it on these also.
My latest CNAME entries are showing static now, but the old once are with
timestaps.

So, small warning here on that point. 
Simple to avoid, just dont enable scaveging.. 

The source of this problem is fixed, just, not the old record in the DNS, 
i use bind9_dlz with it, i dont know if its also in samba internal DNS. 
But i thought it was seen there also.
> I'm going to: 
> * upgrade the OS, which will take Samba to 4.7
I assum your now on bionic. 

These repo's can be used to upgrade more up. 
bionic-samba49
bionic-samba410 ( after this one, stop ) 

Here you have 2 choices again. 
1) upgrade the OS to Ubuntu Focal Fossa and use its samba 4.11.6
2) upgrade to bionic-samba411 ( this was the last bionic version on my repo. 
4.11.12  )

I upgraded myself to  Ubuntu Focal Fossa then installed focal-samba412 and
upgraded untill where we are now.

Once your on Fossa, you can upgrade again. My Repo has for fossa: 

focal-samba412
focal-samba413
focal-samba414
> * run db check
I recommend it after every upgrade. 
> * install 4.14
> * run db check
I hope this helps you out. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Lorenzo Milesi via samba
> Verzonden: woensdag 1 september 2021 13:19
> Aan: samba
> Onderwerp: [Samba] Upgrade old infrastructure running 4.3 (and 4.13)
> 
> Hi. 
> I've a hybrid installation with a master DC running Ubuntu 
> 16.04's "stock" 4.3 Samba, and a second DC running 4.13. 
> Currently FSMO roles are on the 4.3 as it was the first 
> server, and I cannot transfer them to the 4.13 as there are 
> schema differences [1].
> We're finally going to upgrade unmantained Ubuntu and Samba.
> From what I could understand by reading the upgrade guides 
> I'm going to: 
> * upgrade the OS, which will take Samba to 4.7
> * run db check
> * install 4.14
> * run db check
> 
> Is this correct or should I take other steps?
> 
> Thanks
> 
> 
> [1] ERROR: Failed to add role 'domaindns': LDAP error 16 
> LDAP_NO_SUCH_ATTRIBUTE -  <attribute 'fSMORoleOwner': no 
> matching attribute value while deleting attribute on 
> 'CN=Infrastructure,DC=DomainDnsZones,DC=contoso,DC=lan'>
<>
> -- 
> Lorenzo Milesi - lorenzo.milesi at yetopen.com 
> CTO @ YetOpen Srl
> 
> YetOpen - https://www.yetopen.com/
> 
> Via Salerno 18 - 23900 Lecco - ITALY -      | 4801 Glenwood 
> Avenue - Suite 200 - Raleigh, NC 27612 - USA -
> Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 
> 919-817-8106 - info.us at yetopen.com
> 
> Think green - Non stampare questa e-mail se non necessario / 
> Don't print this email unless necessary
> 
> -------- D.Lgs. 196/2003 e GDPR 679/2016 --------
> Tutte le informazioni contenute in questo messaggio sono 
> riservate ed a uso esclusivo del destinatario.
> Tutte le informazioni ivi contenute, compresi eventuali 
> allegati, sono da ritenere confidenziali e riservate secondo i termini
> del vigente D.Lgs. 196/2003 in materia di privacy e del 
> Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita 
> l'utilizzazione ulteriore non autorizzata.
> Nel caso in cui questo messaggio Le fosse pervenuto per 
> errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, 
> a non inoltrarlo a terzi e ad avvertirci non appena possibile.
> Grazie.
> 
> Confidentiality notice: this email message including any 
> attachment is for the sole use of the intended recipient and 
> may contain confidential and privileged information;
> pursuant to Legislative Decree 196/2003 and the European 
> General Data Protection Regulation 679/2016 - GDPR - any 
> unauthorized review, use, disclosure or distribution
> is prohibited. If you are not the intended recepient please 
> delete this message without copying, printing or forwarding 
> it to others, and alert us as soon as possible.
> Thank you.
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

> I hope this helps you out.
Thank you very much for the detailed explaination!

I'm just wondering, what's the purpose of seizing fsmo roles and then do
step upgrades of Samba? Once it's cut off, I can delete everything, install
4.14 straight and join it back as suggested here[1].

As per OS I need to remain on Ubuntu 18.04 as there's another application
which doesn't support 20.04. So I was going to use LinuxSchools PPA [2].

What concerns me the most is the head note of the upgrade page, given I'm
currently on 4.3:
You should only consider using this method if you are running a modern Samba
installation (i.e. v4.7 release or later, with a minimum 2008R2 base schema). It
is better to use this method for major Samba version upgrades (e.g. v4.10 to
v4.11).
My schema is ok (47), but the version is not.

Two further notes:
1. dbcheck returns no error on 4.3, while on 4.13 shows:
root at landc:~# samba-tool dbcheck --cross-ncs
Checking 3534 objects
NOTE: old (due to rename or delete) DN string component for fromServer in object
CN=5ba66c59-f19c-4b5d-b565-3ff8d03c6562,CN=NTDS
Settings,CN=LANDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=lan
- CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=lan
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for fSMORoleOwner in
object CN=Infrastructure,DC=DomainDnsZones,DC=contoso,DC=lan - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=lan
Not fixing old string component
NOTE: old (due to rename or delete) DN string component for fSMORoleOwner in
object CN=Infrastructure,DC=ForestDnsZones,DC=contoso,DC=lan - CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=lan
Not fixing old string component
Checked 3534 objects (0 errors)
2. transfering roles throws an error (as I wrote in the first email), is seizing
them "safer"? :)

Thanks again

[1] https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC
[2] https://launchpad.net/~linux-schools/+archive/ubuntu/samba-latest
-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.com 
CTO @ YetOpen Srl

YetOpen - https://www.yetopen.com/

Via Salerno 18 - 23900 Lecco - ITALY -      | 4801 Glenwood Avenue - Suite 200 -
Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 919-817-8106 - info.us
at yetopen.com

Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection
Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.