samba - Aug 2023 - Samba shares and samba server residing on different physical machines

On 21/04/2023 15:11, E Kogler via samba wrote:
> Hi fellow Members!I'm Systems administrator at a school using SAMBA 4
as AD DC.
> As you know, WIN11 is at the doorstep and my "old" Samba4 Server
(4.9) doesn't serve Windows Servers (Server 2019) very well,
> e.g. the latest issue is that the domain administrator cannot access the
GPO's or other informations from the Samba-LDAP (authentication failure ?).
Probably the new 'date' feature (where it went from 2038 to sometime 
never), you need Samba >= 4.16.0 running as a DC.
> I think that it has possibly to do with the version of kerberos SAMBA 4.9
uses.I installed SAMBA 4.9 on debian using its package.Now I want to upgrade to
SAMBA 4.latest manually to be able to use patch-files being always up-to-date.
It sounds like you need to upgrade your version of Debian as well, if 
you use Debian 11 and Samba from backports, this will get you 4.17.7
> I was told to install SAMBA 4.latest on a different machine, join the
domain, do the provisioning,
No, you cannot join as a DC AND provision, the latter will get you an 
entirely new AD domain
> and shut down the old
> server.
Install the latest Debian 11 and use backports, install Samba, configure 
the machine to be a DC and then join it to your existing AD domain as a 
DC, transfer the FSMO roles from the existing DC to the new DC, demote 
the old DC and turn it off.
> My question is if I can keep all the shares and the respective data (we
have around 1200 users, using about 370 GB) on the "old" machine,
Anything in the AD database should be replicated to the new DC, but it 
also sounds like you have been using the existing DC as a fileserver, 
something that Samba (or Microsoft) does not recommend.

My advice, if this is the case, join another new DC (for failover, the 
more DC's the better), then reconfigure the old, original DC as a Unix 
domain member and use it as a fileserver.
> running only the AD DC and the new kerberos version compatible to WIN11 on
the "new" machine.
> In future, I'd like to transfer SAMBA 4.latest back to the original
machine, restoring the status quo.
 From the sound of it, the 'status quo' isn't really good enough.

We will probably need more info to advise further.

Rowland

Finally I have time to install samba 4.17.8 on my new machine.The join was
successful, but there's a new question popping up:
I want to use BIND9 backend? for DNS but the new machine is running a
slave-DNS.Can I follow the steps in the wiki as if it was my primary DNS ?
Edgar

    Am Freitag, 21. April 2023 um 16:42:57 MESZ hat Rowland Penny via samba
<samba at lists.samba.org> Folgendes geschrieben:
 
 

On 21/04/2023 15:11, E Kogler via samba wrote:
> Hi fellow Members!I'm Systems administrator at a school using SAMBA 4
as AD DC.
> As you know, WIN11 is at the doorstep and my "old" Samba4 Server
(4.9) doesn't serve Windows Servers (Server 2019) very well,
> e.g. the latest issue is that the domain administrator cannot access the
GPO's or other informations from the Samba-LDAP (authentication failure ?).
Probably the new 'date' feature (where it went from 2038 to sometime 
never), you need Samba >= 4.16.0 running as a DC.
> I think that it has possibly to do with the version of kerberos SAMBA 4.9
uses.I installed SAMBA 4.9 on debian using its package.Now I want to upgrade to
SAMBA 4.latest manually to be able to use patch-files being always up-to-date.
It sounds like you need to upgrade your version of Debian as well, if 
you use Debian 11 and Samba from backports, this will get you 4.17.7
> I was told to install SAMBA 4.latest on a different machine, join the
domain, do the provisioning,
No, you cannot join as a DC AND provision, the latter will get you an 
entirely new AD domain
> and shut down the old
> server.
Install the latest Debian 11 and use backports, install Samba, configure 
the machine to be a DC and then join it to your existing AD domain as a 
DC, transfer the FSMO roles from the existing DC to the new DC, demote 
the old DC and turn it off.
> My question is if I can keep all the shares and the respective data (we
have around 1200 users, using about 370 GB) on the "old" machine,
Anything in the AD database should be replicated to the new DC, but it 
also sounds like you have been using the existing DC as a fileserver, 
something that Samba (or Microsoft) does not recommend.

My advice, if this is the case, join another new DC (for failover, the 
more DC's the better), then reconfigure the old, original DC as a Unix 
domain member and use it as a fileserver.
> running only the AD DC and the new kerberos version compatible to WIN11 on
the "new" machine.
> In future, I'd like to transfer SAMBA 4.latest back to the original
machine, restoring the status quo.
 From the sound of it, the 'status quo' isn't really good enough.

We will probably need more info to advise further.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba

Dear List,finally my new Samba 4.17.9 is up and runnig on the desired machine
with all the FSMO roles transferred and the old DC demoted.
What I want to know now is how the smb.conf on my new DC should look like.Is it
only copy the smb.conf used so far to the new machine, does it stay on the old
machine ??
How do i write the path for the shares ?How are my users transferred ? ( Has it
been done with transferring the roles ?)
???
Edgar


    Am Freitag, 21. April 2023 um 16:42:57 MESZ hat Rowland Penny via samba
<samba at lists.samba.org> Folgendes geschrieben:
 
 

On 21/04/2023 15:11, E Kogler via samba wrote:
> Hi fellow Members!I'm Systems administrator at a school using SAMBA 4
as AD DC.
> As you know, WIN11 is at the doorstep and my "old" Samba4 Server
(4.9) doesn't serve Windows Servers (Server 2019) very well,
> e.g. the latest issue is that the domain administrator cannot access the
GPO's or other informations from the Samba-LDAP (authentication failure ?).
Probably the new 'date' feature (where it went from 2038 to sometime 
never), you need Samba >= 4.16.0 running as a DC.
> I think that it has possibly to do with the version of kerberos SAMBA 4.9
uses.I installed SAMBA 4.9 on debian using its package.Now I want to upgrade to
SAMBA 4.latest manually to be able to use patch-files being always up-to-date.
It sounds like you need to upgrade your version of Debian as well, if 
you use Debian 11 and Samba from backports, this will get you 4.17.7
> I was told to install SAMBA 4.latest on a different machine, join the
domain, do the provisioning,
No, you cannot join as a DC AND provision, the latter will get you an 
entirely new AD domain
> and shut down the old
> server.
Install the latest Debian 11 and use backports, install Samba, configure 
the machine to be a DC and then join it to your existing AD domain as a 
DC, transfer the FSMO roles from the existing DC to the new DC, demote 
the old DC and turn it off.
> My question is if I can keep all the shares and the respective data (we
have around 1200 users, using about 370 GB) on the "old" machine,
Anything in the AD database should be replicated to the new DC, but it 
also sounds like you have been using the existing DC as a fileserver, 
something that Samba (or Microsoft) does not recommend.

My advice, if this is the case, join another new DC (for failover, the 
more DC's the better), then reconfigure the old, original DC as a Unix 
domain member and use it as a fileserver.
> running only the AD DC and the new kerberos version compatible to WIN11 on
the "new" machine.
> In future, I'd like to transfer SAMBA 4.latest back to the original
machine, restoring the status quo.
 From the sound of it, the 'status quo' isn't really good enough.

We will probably need more info to advise further.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba