Luis Peromarta
2025-Jun-30 11:14 UTC
[Samba] both Samba-4.9.5 AD DC upgrade to Samba current (4.22.*) - questions
On 29 Jun 2025 at 22:26 +0100, Franta Hanzl?k <franta at hanzlici.cz>, wrote:> > I have a small addition to this: > > - By using the demotion of the old DC and its permanent removal from the > network and subsequent inclusion of a new VM with the same hostname, IP, > etc., I aimed to achieve the same external characteristic and behavior > after the upgrade as the original system had. And I would probably not > need to use a temporary VM - the new DC would replace the old one 1:1. > Or am I wrong?This would be fine, and because you have a backup of the VMs, you?re safe. Demote the DC that does not have the FSMO roles.> > - Both VMs are small, serving only as DCs, no fileserver, printserver, > etc. And yes, on the current (old) system we use rfc2307 (so on each DC > there is "idmap_ldb:use rfc2307 = yes" in smb.conf, and on the two Samba > fileservers is "idmap config DOMAIN:backend = ad" in smb.conf). > rfc2307 is used for Linux clients, their POSIX attributes such as UID, > GID, homedir. I thought until now that if Linux clients also authenticate > to Samba AD, then it is necessary to use rfc2307. > Are you saying it is different, that rfc2307 can be canceled? > The "rid" idmap backend will then be used on the fileserver instead of ad? > And will tools like RSAT on Windows or samba-tool on Linux also allow > us to enter POSIX parameters? Or are they assigned somehow automatically? > On the current old system we enter POSIX parameters manually, so some > simplification or automation would be welcome...If you use AD idmapping in your member servers, that?s fine, continue with it. You can - however - safely remove the line from your DCs. Reasons explained in the link.> > Regarding using Debian distro - we have been using Fedora for a long time > now because we know it. And we compile Samba packages for DC ourselves, > with Heimdal Kerberos (Fedora has MIT, I'm not sure how suitable it is > for production deployment, I think it is still marked as experimental). > I don't know if switching to Debian would cause some confusion and damage, > when it will be new for us. IMO there will not be much difference in > functionality, although support in Debian is probably greater today than > in Fedora.I?d use Debian, distro of choice for all things Samba.
Franta Hanzlík
2025-Jul-07 17:49 UTC
[Samba] both Samba-4.9.5 AD DC upgrade to Samba current (4.22.*) - questions
On Mon, 30 Jun 2025 12:14:24 +0100 Luis Peromarta via samba <samba at lists.samba.org> wrote:> On 29 Jun 2025 at 22:26 +0100, Franta Hanzl?k <franta at hanzlici.cz>, wrote: > > > > I have a small addition to this: > > > > [...] > > I?d use Debian, distro of choice for all things Samba. > --I shouldn't have written the morning email about how well everything is going. Current upgrade issues we can't figure out: 1)Debian 12 VM installed without any problems, as did backports version of Samba (4.22.2-Debian-4.22.2+dfsg-1~bpo12+1) and BIND named (9.18.33 -1~deb12u2-Debian). But now there's a problem: Debian named seems not to be built with dlopen support (empty output of named -V|grep -E 'dlopen'). What now? Compiling named on a system I know little about will be a problem. Moreover, the VM is tiny, 8GB image incl. swap, not well suitable for compilation. 2) problem with Samba DB check on DC with FSMO role (and OK on second): On dc2-lynx (no FSMO): [root at dc2-lynx etc]# samba-tool dbcheck --cross-ncs Checking 4017 objects Checked 4017 objects (0 errors) On dc1 (has FSMO) /! report only 4016 objects!/: [root at dc1 etc]# samba-tool dbcheck --cross-ncs Checking 4016 objects WARNING: no target object found for GUID component for one-way forward link member in object CN=zaci,OU=Groups,DC=zamecek,DC=home - <GUID=49cd2c7a-33ad-4008-8410-b545abb311d1>;<RMD_ADDTIME=131970580730000000>;<RMD_CHANGETIME=131970580730000000>;<RMD_FLAGS=0>;<RMD_INVOCID=cc2c8197-4044-4c9d-a278-08e292857683>;<RMD_LOCAL_USN=9857>;<RMD_ORIGINATING_USN=9857>;<RMD_VERSION=1>;<SID=S-1-5-21-9998-9997-9996-118726>;CN=klimes_j,OU=Z,DC=zamecek,DC=home Not removing dangling forward link ERROR(<type 'exceptions.TypeError'>): uncaught exception - 'ldb.Dn' object is not iterable File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 177, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py", line 157, in run controls=controls, attrs=attrs) File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 222, in check_database error_count += self.check_object(object.dn, attrs=attrs) File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 2245, in check_object for val in obj[attrname]: 'samba-tool dbcheck --cross-ncs --fix' isn't able fix this, internet search was not successful. Could some form of "samba-tool drs replicate" help? 3) problem with dc2-lynx (noFSMO DC) demoting: If I ignore the previous dncheck error and want demote dc2-lynx, I get the error: [root at dc2-lynx etc]# samba-tool domain demote -U 'administrator%$PW' GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using dc1.zamecek.home as partner server for the demotion Using binding ncacn_ip_tcp:dc1.zamecek.home[,seal] resolve_lmhosts: Attempting lmhosts lookup for name dc1.zamecek.home<0x20> resolve_lmhosts: Attempting lmhosts lookup for name dc1.zamecek.home<0x20> Deactivating inbound replication Asking partner server dc1.zamecek.home to synchronize from us Error while replicating out last local changes from 'DC=zamecek,DC=home' for demotion, re-enabling inbound replication ERROR(<class 'samba.WERRORError'>): Error while sending a DsReplicaSync for partition 'DC=zamecek,DC=home' - (58, 'WERR_BAD_NET_RESP') File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 855, in run drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1) From by wireshark captured traffic between both DCs, dc2-lynx requests (among other things) on dc1 _kerberos.DC1.ZAMECEK.HOME DNS TXT record (and then gradually _kerberos.ZAMECEK.HOME and _kerberos.HOME TXT rec.), which not exist - not sure, whei it may be problem. Please, any idea about solving this? -- TIA, Franta Hanzlik