Web lists-archives.com

Re: [Samba] Upgrading Samba




On Wed, 6 Feb 2019 17:18:05 +0400
Henri Transfert via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Thank you Rowland for your answer . 
> I reply inline.
> 
> > 
> > On Wed, 6 Feb 2019 15:20:56 +0400
> > henri transfert via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > 
> > > Hello all,
> > >
> > > I've planned to upgrade a Samba DC from 4.6.7 to 4.9.4 .
> > 
> > STOP!
> > 
> > Do not do this directly, reports on here have shown that this will
> > not work.
> > 
> > You will have to 'walk' up the versions, it may work if you go to
> > 4.8.3, then to 4.9.4, but you may have to go to 4.7.2 first.
> 
> Ok thanks for the warning . What will not work exactly ? 
> 
> So , what is the recommended path to upgrade ? 
> 1) from 4.6.7 to 4.7.2 
> 2) then 4.7.2 to 4.8.3 
> 3) then 4.8.3 to 4.9.4  ?

Not sure just what goes wrong, but upgrading directly from 4.7.x to
4.9.x caused Samba to work incorrectly, I presume the changes that went
into 4.8.0 are causing this. It didn't help that the first releases in
4.8 & 4.9 had problems as well. There was a thread on this on here
about 6-8 weeks ago on this subject.
 
> 
> Is there a doc on the wiki about this  ?

Not that I am aware.
 
> 
> > 
> > 
> > > For that I will use the following method :
> > >
> > >    - build a new DC from 4.9.4 sources (on CentOS 7)
> > 
> > Make sure you use Heimdal kerberos. not the Centos default MIT.
> I assume Heimdal Kerberos is the one used in 4.6.7 . 
> So I guess I will have to enforced Heimdal at compilation time
> (--with-system-heimdalkrb5 ?) . 

No just install the Heimdal libs and it will get built with Heimdal,
you have to explicitly make it build with MIT.
 
> 
> > 
> > >    - join this new DC to the domain
> > >    - transfer the FSMO roles from the old DC (4.6.7) to the new DC
> > > (4.9.4)
> > >    - replicate the sysvoldir from old DC to new DC
> > >    - demote the old DC
> > >    - switch off the old DC
> > >
> > > Since I prefer to ask before facing any problems, is there any
> > > issue I should take care about ? Especially from 4.6 to 4.9
> > > release , is there any big changes or incompatibility that could
> > > be a potential source of troubles (Kerberos ? default values ?) ?
> > > Would 4.8.8 a better seamless option ?
> > >
> > > The smb.conf of the old DC is :
> > > # Global parameters
> > > [global]
> > >         netbios name = OLD-DC
> > >         realm = MYDOM.MYCOMP.COM
> > >         workgroup = MYDOM
> > >         dns forwarder = 1.2.3.4
> > >         server role = active directory domain controller
> > >         idmap_ldb:use rfc2307 = yes
> > >         ldap server require strong auth = no
> > >         ntlm auth = yes
> > >         raw NTLMv2 auth = yes
> > 
> > Why are you still using the very insecure NTLMv1 ?
> An old requirement due to old XP clients. I guess I could remove it.

If the XP clients have gone away, then yes I would remove it, if they
haven't, still remove it, it is easy to make XP use NTLMv2

> 
> > 
> > >
> > > [netlogon]
> > >         path = /var/lib/samba/sysvol2/mydom.mycomp.com/scripts
> > >         read only = No
> > >         browseable = no
> > >
> > > [sysvol]
> > >         path = /var/lib/samba/sysvol2
> > >         read only = No
> > >         browseable = no
> > 
> > Does anybody know where setting 'browseable = no' on 'netlogon' &
> > 'sysvol' came from ?
> > totally redundant, there is no netbios browsing on a Samba AD DC,
> > it isn't in 'nbt'.
> If I remove "browsable=no" , I can see shares netlogon and sysvol if
> I go to \\MY-SAMBA-DC . I want them to be hidden. Something wrong
> here ? 

Why do you want them hidden ?

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba