Thanks for that extensive response!
--Mark
> From samba-bounces at lists.samba.org Sat Jan 28 05:12:23 2023
> Authentication-Results: novatec-inc.com;
> dkim=pass (2048-bit key) header.d=lists.samba.org
header.i=@lists.samba.org header.b=yCpNznLb;
> dkim=fail reason="signature verification failed" (3072-bit key)
header.d=samba.org header.i=@samba.org header.b=ufGCCQNA
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=lists.samba.org; s=2954282; h=Cc:From:List-Id:Subject:To:Date;
> bh=A3jM37unZ0w81ruvc66HyHq6MfaU9das+EB33p/D34c=;
b=yCpNznLbTqCIXf9tQwg05sGJec
>
nWwVY1fQlX6ohQILJ2cd8OFaivF7YV9pFUt/VGGo5OQ5gEDf7jIMQLc4r7LjE95aEK914SS70bVAG
>
AYXlHvXFWbhHr0AP/liLSzBHT3K/plXdtWj4uTEjxST7rb1tGUfZJXbT52sgPOXNl+/vYGjLGlvBL
>
yE+K9crnBtKIS6QMbK7cCgObbb9JvlwhI1GwfeI1gU6Qr6Y4W8OLgI6RttuocVkO4qws5/eM+nwp4
>
7BNWJa3RS7mBRF7N0W7rE4/rStC9WT4FGM7ruZ1oQ8bw8Uo5qWd9bqpJEy52vQO/WR/qELIdoyTXY
> yqjWZkbQ==;
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=samba.org;
> s=42; h=From:To:Date:Message-ID:CC;
> bh=gOwAoJx5Qn7RB31yJvKkwL4ozFnDYmwrRPaq6zbYMpc=;
b=ufGCCQNAKNziaDHFxWKE2ksFRV
>
dXIU2GNDmK1jFSUAOOfMM+SPZg8rD+gafOca2pQi3GRloGm8QOteyP+d49fXQ3k11s3YZTCpIyGU2
>
rNE1CwWQ8WhaCts1NNXPYqkCH35ymvHhnDg/3cW4I1BLznqWuI5lAX6skyQn+zRCnKRQ2dcip3CW7
>
1mbFig4CxSOgx6f18faGEk9WWrPVB9Z+WqM/yWA+GWz4/yLXQW8Y8vZzcQly9Ln4+M6OwqCoLxbzE
>
1fw+vK0P43yWDX3h5L/Zwfz7dwB2Z2JAT0aeRiA+8MfsSf989S9FiYhyK1GGyq0Eqz5oyg95OyEiU
>
BcjyYExozfBlgzs0a9KIR1nNKYbR/KSR0xve4pZey8WgE22DI4luZY8Vt4ATt4nYHgICAJl/xw0Dg
>
MuvIhe3FOmxDg7oMQyFWlrPZVhMJXjvyebptAx64Wh8f2Sv6co0CKVurdzAGFDR12KOh7EXcxCj3u
> nnrd7PDA3DY3DAwIPpgbtynI;
> Date: Sat, 28 Jan 2023 10:11:44 +0000
> To: samba at lists.samba.org
> Subject: Re: [Samba] Upgrading from Samba 4.8.2 to 4.15.5
> From: Rowland Penny via samba <samba at lists.samba.org>
> Cc: Rowland Penny <rpenny at samba.org>
> X-Spam-Status: No, score=-114.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
> DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,NICE_REPLY_A,
> RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H2,USER_IN_WELCOMELIST,
> USER_IN_WELCOMELIST_TO,USER_IN_WHITELIST,USER_IN_WHITELIST_TO
> autolearn=ham autolearn_force=no version=3.4.6-_revision__1.0__
> X-Spam-Report:
> * -0.0 USER_IN_WELCOMELIST User is listed in 'welcomelist_from'
> * -100 USER_IN_WHITELIST DEPRECATED: See USER_IN_WELCOMELIST
> * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
> * [score: 0.0000]
> * -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,
> * medium trust
> * [144.76.82.147 listed in list.dnswl.org]
> * -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
> * [144.76.82.147 listed in wl.mailspike.net]
> * -0.0 USER_IN_WELCOMELIST_TO User is listed in 'welcomelist_to'
> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> * author's domain
> * -6.0 USER_IN_WHITELIST_TO DEPRECATED: See USER_IN_WELCOMELIST_TO
> * -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
> * manager
> * -2.8 NICE_REPLY_A Looks like a legit reply (A)
> * -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender
> X-Spam-Checker-Version: SpamAssassin 3.4.6-_revision__1.0__ (2021-04-09) on
> server
>
>
>
> On 28/01/2023 08:57, Mark Foley via samba wrote:
> > On Sat Jan 28 02:37:16 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> >
> >> On 28/01/2023 06:44, Mark Foley via samba wrote:
> >>> I wrote earlier about setting the domain user password minimum
to > 14
> >>> characters. It was advised that my first step should be to
upgrade from Samba
> >>> 4.8.2 to the most recent version available which for my
Slackware 15.0 distro is
> >>> 4.15.5. This also involved a distro upgrade from Slackware
14.2 to 15.0.
> >>>
> >>> After upgrading, just for the heck of it, I tried starting
Samba without
> >>> changing my 4.8.2 configs. Of course, that didn't work.
My initial error (of
> >>> several) in syslog was:
> >>>
> >>> Jan 28 00:42:52 mail krb5kdc[2725]: Cannot open DB2 database
'/var/kerberos/krb5kdc/principal': No such file or directory - while
initializing database for realm MYDOM.LOCAL
> >>
> >> That looks like you also installed a MIT kerberos server as well,
a
> >> Samba domain usually uses the Heimdal kerberos server it comes
with.
> >
> > This DC was originally installed back in 2014 and perhaps that was
what was
> > available then. I certainly didn't have the expertise to choose.
Of course, that
> > message (above) is from trying to run the new samba 4.15.5, not the
old one.
>
> Not being a slackware user, I do not know what was available when you
> first installed Samba as a DC, but back then it was even more
> experimental to use MIT as the kdc than it is now.
>
> A few distros chose not to supply Samba packages that could be
> provisioned as a DC, others supplied packages that had been built with
> MIT, but didn't tell anyone that they should be treated as
experimental.
Well, back then I tried Zentyal and building the DC with Debian, but nothing was
working. Slackware's Samba was just worked, out of the box as a DC (aside
from
config tweaking), so I've stuck with it. It's worked fine through
multiple Samba
upgrades, but this is a bit different.
> You should be able to find out if your Samba packages were built with
> MIT by running:
>
> smbd -b | grep HAVE_LIBKADM5SRV_MIT
>
> You should get nothing returned if Samba was built using the built in
> Heimdal. If this is the case, you need to check if you have the MIT
> kerberos kdc installed and if so, I suggest you remove it, you can only
> have one kdc.
>
> If you get back 'HAVE_LIBKADM5SRV_MIT', then your Samba packages
were
> built with MIT. At this point you will need to decide if you can accept
> using something that is experimental, or find slackware Samba packages
> that are not built using MIT.
I'm going to boot back to the 4.8.2 version today (hopefully temporarily)
and I
can check this out.
> > I have routinely upgraded the OS including Samba since.
> >
> >>> At that point I decided to read the Wiki:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Introduction
> >>>
> >>> [deleted]
> >>
> >> That wiki page is indeed for setting up a new domain, to join
another
> >> DC, you need this page:
> >>
> >>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
> >>
> >> But before you do anything, I would check if you are running a
separate
> >> kdc and if you are, stop and remove it.
> >
> > I'm certainly running some kerberos. My original provisioning gave
the message,
> > "A Kerberos configuration suitable for Samba 4 has been generated
at /var/lib/samba/private/krb5.conf"
>
> That is the kerberos conf file to use as /etc/krb5.conf
>
> >
> > My notes also say, "This Samba4 utilizes the Heimdal
implementation of
> > Kerberos", so is it possible I am (or rather 'was')
running Heimdal? I also have
> > zone files showing "krb5 servers". And I do have a
/var/lib/samba/private/krb5.conf.
>
> It sounds entirely possible that you were using Samba with its builtin
> Heimdal kdc, though I do think that the krb5.conf is supplied if you
don't.
>
> > I'm beginning to think I need to actually reprovision. Aside from
the
> > kerberos question, I initially provisioned with
--dns-backend=BIND9_FLATFILE,
> > which I believe is now deprecated. The FLATFILE was easy as I only
needed minor
> > tweaks to a non-DC bind configuration. Probably I can't just
install and
> > configure bits and pieces (like kerberos) and get this running using
mostly
> > 4.8.2 configs, right?
>
> Well, it is probably impossible to just change bits and pieces, tweak
> conf files, yes, change a bit here and there, no.
>
> >
> > here's my original provision command:
> >
> > /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 \
> > --server-role='dc' --realm=hprs.local --domain=HPRS \
> > --adminpass='password' --dns-backend=BIND9_FLATFILE \
> > --option="interfaces=lo eth1" --option="bind
interfaces only=yes"
>
> You built Samba yourself by the look of it and I remember you know,
> aren't you something to do with a police retirement fund ?
Yes, Ohio Highway Patrol Retirement System. I normally post messages from there,
but from the DC and that's down right now! Good memory! You were
instrumental in
helping with the various config tweaks I needed. Having not posted in a while
indicates everything's been running well.
I did use that samba-tool command manually, but I did so based on the wiki docs.
But yes, I did build 4.8.2 manually in 2018 from a download to fix some issue
that
version addressed, but it was (and still) beyond the distro's 14.2 final
version of
4.6.16.
> > Do you agree, or are there a few things I can do to make things work
with 4.15.5?
>
> If you did build Samba yourself and you have now installed Samba from
> Slackware packages, you could now have Samba in two places. This could
> be a good thing, because it is highly likely that your original Samba is
> untouched.
>
> You should be able to upgrade your dns server quite easily with
> 'samba_dnsupdate'.
>
> Rowland
After thinking about it, I really can't simply re-provision from scratch.
The
databases have all the user credential, group policies, etc. I'm going to do
two
things:
1. Put the DC back to Samba 4.8.2 so everything works and I can answer the
questions about kerberos, etc.
2. Stage this 4.15.5 on another computer and follow your advice on joining
another DC. If that is successful, I suppose I can switch to the new DC and
retire the original?
Thanks --Mark