samba - Oct 2022 - Upgrade AD DS from 4.9.5 -> 4.13.13, cannot resolve usernames on member server

On Fri, 28 Oct 2022, Rowland Penny via samba wrote:
> Normally I create a new computer running the latest Debian version and then
> install the latest version of Samba possible. I would then join this as a
DC
> and then, once everything is definitely running okay, demote one of my old 
> DC's, repeat for every other DC.
So I installed a Debian 11 computer, and Samba 4.16.6 from 
bullseye-backports. I joined this to the AD and it looks like everything 
went OK. 'samba-tool ldapcmp' looks good, as does 'samba-tool drs
showrepl'.

Is there a way for me to actually test this "SAD3" new AD DC by for
instance
forcing one of my test fileservers to use only this computer as the DS?

If testing of SAD3 looks good, the the next logical step would be to demote 
SAD2 (as long as it's not primary), remove all traces of samba from it and 
upgrade that, install samba from backports and join that. Same for DS1, 
moving the primary role first.
>> Almost all connections come from our other Windows AD domain.
>
> Then that needs to be a 'trusted' domain with its own 'idmap
config' block.
I will get back to this, I promise. Sounds interesting, and I really need to 
learn more. If there only was more hours per day :/
>>  ????logging = syslog
>>  ????min domain uid = 500
>
> I suggest that you change that '500' to '0', otherwise the
Administrator to
> root mapping will be ignored.
But I do like it when we don't have a working Administrator account that has
access to all files :)
> If you add a 'trusted' domain, you cannot use 'winbind use
default domain =
> yes'
I will get back on this.


-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

On 31/10/2022 13:08, Harald Hannelius wrote:
> 
> On Fri, 28 Oct 2022, Rowland Penny via samba wrote:
> 
>> Normally I create a new computer running the latest Debian version and 
>> then install the latest version of Samba possible. I would then join 
>> this as a DC and then, once everything is definitely running okay, 
>> demote one of my old DC's, repeat for every other DC.
> 
> So I installed a Debian 11 computer, and Samba 4.16.6 from 
> bullseye-backports. I joined this to the AD and it looks like everything 
> went OK. 'samba-tool ldapcmp' looks good, as does 'samba-tool
drs
> showrepl'.
> 
> Is there a way for me to actually test this "SAD3" new AD DC by
for
> instance forcing one of my test fileservers to use only this computer as 
> the DS?
It is not easy, AD likes to find the best DC to use, but you could try 
adding 'password server = XXXX' where 'XXXX' the name or IP of
the DC
you want to use.
> 
> If testing of SAD3 looks good, the the next logical step would be to 
> demote SAD2 (as long as it's not primary)
It shouldn't matter (and please stop calling it 'primary'), all
DC's are
equal (or are supposed to be and if they aren't, then you have big 
problems) except for the FSMO roles and they can be on ANY DC, in fact, 
if you had 7 DC's, they could each have an FSMO role, so which would be 
the 'primary' then ?
If it does hold all the FSMO roles, then it very easy to transfer them 
to another DC using samba-tool.

, remove all traces of samba
> from it and upgrade that, install samba from backports and join that. 
> Same for DS1, moving the role first.
> 
>>> Almost all connections come from our other Windows AD domain.
>>
>> Then that needs to be a 'trusted' domain with its own
'idmap config'
>> block.
> 
> I will get back to this, I promise. Sounds interesting, and I really 
> need to learn more. If there only was more hours per day :/
I have been working on time machine for a long time now, it still 
doesn't work :-D
> 
>>> ?????logging = syslog
>>> ?????min domain uid = 500
>>
>> I suggest that you change that '500' to '0', otherwise
the
>> Administrator to root mapping will be ignored.
> 
> But I do like it when we don't have a working Administrator account
that
> has access to all files :)
Not sure I understand that, but you need the Administrator root mapping.
> 
>> If you add a 'trusted' domain, you cannot use 'winbind use
default
>> domain = yes'
> 
> I will get back on this.
> 
> 
Rowland