Difference between revisions of "Updating Samba"

(Fixing the replPropertyMetaData attributes (updating from < 4.5.0))
(Rewrote the "Updating Samba" page (formatting, wording, etc.))
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
This is a general documentation on how to update a Samba installation.
+
The following documentation describes the process of updating Samba to a newer version.
  
 +
If you want to migrate a Samba NT4 domain to Samba Active Directory (AD), see [[Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)|Migrating a Samba NT4 Domain to Samba Active Directory (Classic Upgrade)]].
  
  
  
 +
== Common Misconceptions About Samba 4 ==
  
= Common misconceptions about Samba 4 =
+
One of the common misconceptions is: <u>"Samba 4" means "Active Directory only": '''This is wrong.'''</u>
  
One of the common misconceptions is, that <u>Samba 4 automatically means „Active Directory only“: '''That's wrong!'''</u>
+
The Active Directory (AD) Domain Controller (DC) support is one of the enhancements in Samba 4.0. However all newer versions include the features of previous versions - including the NT4-style (classic) domain support. This means you can [[#The_Update_Process|update]] a Samba 3.x NT4-style PDC to a recent version, like you updated in the past - for example from 3.4.x to 3.5.x. There is no need to migrate an NT4-style domain to an AD.
  
Acting as a Active Directory Domain Controller is one of the enhancements, included in Samba 4. But version 4 is also just the next release after the 3.6 series and contain all features of the previous ones - including the NT4-style (classic) domain support. This means you can [[#Update_process|update a Samba 3.x NT4-style PDC to 4.x]], like you've updated it in the past (e. g. from 3.4.x to 3.5.x). You won't move your NT4-style domain to an Active Directory automatically!
+
Additionally, all recent versions continue to support setting up a new NT4-style PDC. The AD support in Samba 4.0 and later is optional and does not replace any for the PDC feature. The Samba team understand the difficulty presented by existing LDAP structures. For that reason, there is no plan to remove the classic PDC support. Additionally we continue testing the PDC support in our continuous integration system.
  
And of course the possibility remains unchanged, to setup a new NT4-style PDC with Samba 4.x, like done in the past (e. g. with openLDAP backend). Active Directory support in Samba 4 is additional and does not replace any of these features. We do understand the difficulty presented by existing LDAP structures and for that reason there isn't a plan to decommission the classic PDC support. It remains tested by the continuous integration system.
 
  
The code that supports the classic Domain Controller is also the same code that supports the internal 'Domain' of standalone servers and Domain Member Servers. This means that we still use this code, even when not acting as an AD Domain Controller. It is also the basis for some of the features of FreeIPA and so it gets development attention from that direction as well.
 
  
  
  
 +
= Updating Multiple Samba Domain Controllers =
  
 +
If you are updating multiple Samba Active Directory (AD) Domain Controllers (DC), the recommended order is:
  
= Migrating a Samba NT4-style domain to Samba Active Directory =
+
* Update one Samba AD DC that is is not holding any flexible single master operations (FSMO) role.
  
If you plan to migrate a Samba NT4 domain to Samba Active Directory, you should follow the [[Setup_a_Samba_Active_Directory_Domain_Controller|Samba AD DC HowTo]] and the [[Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)|Classicupgrade HowTo]] instead!
+
* Start Samba on the updated DC.
  
 +
* Verify that the directory replication between all DCs is working correctly:
 +
# samba-tool drs showrepl
  
 +
* Test the installation to ensure that the new version works correctly.
  
 +
* Upgrade all other Samba DCs one at a time and always verify that the replication is working correctly.
  
  
= General notes =
 
  
''Note: Samba 4 is just the next release after 3.6. Samba 4 doesn't mean „Active Directory only“. You can simply update your NT4-style domain to the latest 4x version, like you had installed updates in the past.''
 
  
If the type of installation (Active Directory Domain Controller, NT4-style PDC, Member Server) does not change, you can simply follow the steps below to update.
 
  
 +
= The Update Process =
  
 +
Run the following steps, regardless if you are updating a Samba Active Directory (AD) domain controller (DC), a Samba NT4-style PDC, a Samba domain member, or a standalone installation:
  
 +
* Stop all Samba services.
  
 +
* Create a backup.
  
= Best Practices Updating Multiple Samba Domain Controllers =
+
* Read all release notes of versions since the one you are updating from. They contain important information on new features, changed parameter options, and so on.
  
When you plan to update multple Samba Active Directory Domain Controllers on your network, the recommended way is:
+
* Install the latest version over your existing one:
  
* Update one of the Samba AD DCs, that is is not holding any FSMO role.
+
:* If you compile Samba from the sources, use the same "configure" options like for your previous version. For more information, see [[Build_Samba_from_source#Viewing_Built_Options_of_an_Existing_Installation|Build Samba From the Sources]].
  
* Start Samba on the updated DC and check that the replication between all DCs work successful („samba-tool drs showrepl“).
+
:* If you update using packages, read the distribution documentation for information how to update.
  
* Verify the installation, to ensure that the new version work like expected.
+
* Start Samba.
 +
: Start the same daemons like for your previous version:
 +
:* On Samba AD DCs: samba
 +
:* On Samba NT4-style PDC/BDCs: smbd, nmbd
 +
:* On Samba domain members: smbd, nmbd (winbind, if used)
 +
:* On Samba standalone hosts: smbd
  
* Upgrade the other Samba DCs one at a time. Always make sure, that the replication is working properly.
+
* Check your Samba log files for errors.
  
 +
* Test your updated installation.
  
  
  
  
= Update process =
 
  
The following steps are the same, regardless if you update a Samba AD DC, Samba NT4-style PDC or Samba Member Server.
+
= Notable Enhancements and Changes =
  
* Stop all Samba services.
+
This section provides a list of notable enhancements and changes. In any case, read all release notes of versions between the previous and the new one. They contain important and additional information on new features, changed parameter options, and so on.
  
* Create a working backup!
 
  
* Read all release notes of versions since the one you are updating from! They will contain important and useful information i.e. parameters that have changed.
 
  
* Install the latest version over your existing one.
+
== All Samba Installations ==
  
:* If you compile Samba from source, download the latest version from [http://www.samba.org http://www.samba.org]. If you use the same "configure" options as for your previous version, Samba will be installed over the old binaries and will find its databases in the same place. But always check if some configure options have changed and need to be adapted!
+
=== File Execution Permissions ===
  
:* If you use packages, such as from [http://www.enterprisesamba.com/samba/ SerNet], check out the packagers information on how to install.
+
'''Updating to 4.0.0 and later'''
  
* Start Samba. You only have to start the same processes as you did before.
+
For more information, see [[Shares_with_POSIX_ACLs#Execute_bit_on_files|Execution of files]].
:* DC: samba
 
:* NT4-style PDC: smbd, nmbd
 
:* Member Server: smbd, nmbd (winbind, if you use it)
 
  
* Check your Samba logs for errors and problems.
 
  
* Test your new installed version.
 
  
 +
== Samba Active Directory Domain Controllers ==
  
 +
=== Fixing replPropertyMetaData Attributes ===
  
 +
'''Updating to 4.5.0 and later'''
  
 +
Samba versions prior 4.5.0 stored the replPropertyMetaData attribute incorrectly. As a consequence, administrators could experience renaming conflicts or bad failure modes. The problem has been fixed in 4.5.0 and later versions and Samba now stores the attribute correctly. Additionally, samba-tool has been enhanced to detect incorrectly stored replPropertyMetaData attributes:
  
= Update an early Samba 4 version on Samba Active Directory DCs =
+
# samba-tool dbcheck --cross-ncs
  
Early versions of Samba 4 (Beta, RC, early 4.0.x) had some issues e. g. incorrect SysVol and directory ACLs. The following commands will fix these problems after you have updated.
+
To fix the attributes, run:
  
* Reset well known ACLs in AD (without "--fix", it will only check the ACLs)
+
  # samba-tool dbcheck --cross-ncs --fix
  # samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
+
...
 +
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com: 0x00000003
 +
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com: 0x00000000
 +
ERROR: unsorted attributeID values in replPropertyMetaData on CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 +
 +
Fix replPropertyMetaData on CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com by sorting the attribute list? [YES]
 +
Fixed attribute 'replPropertyMetaData' of 'CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com'
  
* Reset wrong SysVol ACLs (if you use the "sysvolcheck" option, it will check the ACLs instead)
+
Because the replPropertyMetaData attribute is not replicated, you have to run the command on every Active Directory (AD) domain controller (DC) in your forest. After a repair of all objects, run the command without the "--fix" option to verify a successful operation.
# samba-tool ntacl sysvolreset
 
  
* Fix errors in the AD database (without "--fix", it will only check for errors)
+
Please note that the repair operation requires some time to complete. For example: 3500 objects in 5 minutes in a VM laboratory test environment (1 vCPU, 1 GB RAM, HDD image located on SSSD).
# samba-tool dbcheck --cross-ncs --fix
 
  
  
  
 +
=== Default for LDAP Connections Requires Strong Authentication ===
  
 +
'''Updating to 4.4.1 or later / 4.3.7 or later / 4.2.10 or later)'''
  
= Other changes you should pay attention to, when updating =
+
The security updates 4.4.1, 4.3.7 and 4.2.10 introduced a new smb.conf option for the Active Directory (AD) LDAP server to enforce strong authentication. The default for this new option "ldap server require strong auth" is "yes" and allows only simple binds over TLS encrypted connections. In consequence, external applications that connect to AD using LDAP, cannot establish a connection if they do not use or support TLS encrypted connections.
  
== File execution permissions when upgrading from 3x to 4x ==
+
Applications connecting to Samba AD using the LDAP protocol without encryption, are displaying error messages like:
  
See [[Shares_with_POSIX_ACLs#Execution_of_files|Execution of files]].
+
ldap_bind: Strong(er) authentication required (8)
 +
        additional info: BindSimple: Transport encryption required.
  
 +
For further information, see the [https://www.samba.org/samba/history/samba-4.4.1.html 4.4.1], [https://www.samba.org/samba/history/samba-4.3.7.html 4.3.7], or the [https://www.samba.org/samba/history/samba-4.2.10.html 4.2.10] release notes.
  
  
== On Samba Active Directory DC's ==
 
  
=== Fixing the replPropertyMetaData attributes (updating from < 4.5.0) ===
+
=== AD Database Cleanup of Deleted LDAP DNS Entries ===
  
Samba versions prior 4.5.0 stored the replPropertyMetaData attribute incorrectly. As a consequence, administrators could experience renaming conflicts or bad failure modes. The problem has been fixed in 4.5.0 and later versions and Samba now stores the attribute correctly. Additionally, samba-tool has been enhanced to detect incorrectly stored replPropertyMetaData attributes:
+
'''Updating to 4.1.12 or later'''
  
# samba-tool dbcheck --cross-ncs
+
Previously, Samba incorrectly created many deleted Active Directory (AD) objects for removed DNS entries. The problem has been fixed. If you start the first Domain Controller (DC) with a fixed Samba version, all deleted objects are removed. As a result, this can result in a slow performance until the deleted objects are removed.
  
To fix the attributes, run:
 
  
# samba-tool dbcheck --cross-ncs --fix
 
...
 
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com: 0x00000003
 
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com: 0x00000000
 
ERROR: unsorted attributeID values in replPropertyMetaData on CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
 
Fix replPropertyMetaData on CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com by sorting the attribute list? [YES]
 
Fixed attribute 'replPropertyMetaData' of 'CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com'
 
  
Because the replPropertyMetaData attribute is not replicated, you have to run the command on every AD DC in your forest. After a repair of all objects, run the command without the "--fix" option to verify a successful operation.
+
=== Incorrect TLS File Permissions ===
  
Please note that the repair operation requires some time to complete. For example: 3500 objects in 5 minutes (VM test environment: 1 vCPU, 1 GB RAM, HDD image located on SSSD).
+
'''Updating to 4.1.2 or later / 4.0.12 or later'''
  
 +
Previously, Samba created the *.pem files used for LDAP TLS encryptions with insecure permissions. To avoid insecure connections, delete the files on all domain controllers (DC):
  
 +
# rm /usr/local/samba/private/tls/*.pem
  
=== Default for LDAP Connections Requires Strong Authentication (updating from <=4.4.0, <=4.3.6 or <=4.2.9) ===
+
Restart Samba after you deleted the files to automatically re-create the new certificates.
  
''The following information might be relevant for you, if you're updating to a later version than mentioned above and have external applications connected over LDAP to your Active Directory:''
 
  
The security updates 4.4.1, 4.3.7 and 4.2.10 introduced a new smb.conf option for the Active Directory LDAP server to enforce strong authentication. The default of this option ("ldap server require strong auth = yes") allows only simple binds over TLS encrypted connections. In consequence external applications that connect to Active Directory with LDAP can't establish a connection if they don't use or support TLS encrypted connections.
 
  
For further information, see the [https://www.samba.org/samba/history/samba-4.4.1.html 4.4.1], [https://www.samba.org/samba/history/samba-4.3.7.html 4.3.7], or the [https://www.samba.org/samba/history/samba-4.2.10.html 4.2.10] release notes.
+
=== Fixing dynamic DNS update problems ===
  
 +
'''Updating to 4.0.7 or later'''
  
 +
See [[Fix_DNS_dynamic_updates_in_Samba_versions_prior_4.0.7|Fix DNS dynamic updates in Samba versions prior 4.0.7]] for details.
  
=== AD database cleanup of deleted LDAP DNS entries (updating from <= 4.1.11) ===
 
  
Previous versions of Samba DC's contained a bug, that may lead to many deleted LDAP objects for removed DNS entries (partial fix for bug [https://bugzilla.samba.org/show_bug.cgi?id=10749 #10749]).
 
  
When the first DC with a version newer than 4.1.11 is started, these deleted objects are removed. Depending on the amount, this may result in slow performance until all the deleted objects from the previous version are removed.
+
=== Fixing incorrect Sysvol and Directory ACLs ===
  
 +
''' Updating from early 4.0.x versions, 4.0 beta and 4.0 release candidates'''
  
 +
* To reset wrong Sysvol ACLs, run:
 +
# samba-tool ntacl sysvolreset
  
=== Wrong TLS .pem file permissions (updating from <= 4.0.11 or 4.1.1) ===
+
* To reset all well known ACLs in the directory, run:
 +
# samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
  
* Remove TLS .pem files, because they were exposed by insecure permissions. They are re-created with correct permissions during the next Samba startup
+
* To fix errors in the Active Directory (AD) database, run:
  # rm /usr/local/samba/private/tls/*.pem
+
  # samba-tool dbcheck --cross-ncs --fix
  
  
  
=== Fixing dynamic DNS update problems (updating from < 4.0.7) ===
+
== Samba Domain Members ==
  
See [[Fix_DNS_dynamic_updates_in_Samba_versions_prior_4.0.7|Fix DNS dynamic updates in Samba versions prior 4.0.7]] for details.
+
No remarkable important changes.

Revision as of 01:43, 19 August 2016

Introduction

The following documentation describes the process of updating Samba to a newer version.

If you want to migrate a Samba NT4 domain to Samba Active Directory (AD), see Migrating a Samba NT4 Domain to Samba Active Directory (Classic Upgrade).


Common Misconceptions About Samba 4

One of the common misconceptions is: "Samba 4" means "Active Directory only": This is wrong.

The Active Directory (AD) Domain Controller (DC) support is one of the enhancements in Samba 4.0. However all newer versions include the features of previous versions - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to a recent version, like you updated in the past - for example from 3.4.x to 3.5.x. There is no need to migrate an NT4-style domain to an AD.

Additionally, all recent versions continue to support setting up a new NT4-style PDC. The AD support in Samba 4.0 and later is optional and does not replace any for the PDC feature. The Samba team understand the difficulty presented by existing LDAP structures. For that reason, there is no plan to remove the classic PDC support. Additionally we continue testing the PDC support in our continuous integration system.



Updating Multiple Samba Domain Controllers

If you are updating multiple Samba Active Directory (AD) Domain Controllers (DC), the recommended order is:

  • Update one Samba AD DC that is is not holding any flexible single master operations (FSMO) role.
  • Start Samba on the updated DC.
  • Verify that the directory replication between all DCs is working correctly:
# samba-tool drs showrepl
  • Test the installation to ensure that the new version works correctly.
  • Upgrade all other Samba DCs one at a time and always verify that the replication is working correctly.



The Update Process

Run the following steps, regardless if you are updating a Samba Active Directory (AD) domain controller (DC), a Samba NT4-style PDC, a Samba domain member, or a standalone installation:

  • Stop all Samba services.
  • Create a backup.
  • Read all release notes of versions since the one you are updating from. They contain important information on new features, changed parameter options, and so on.
  • Install the latest version over your existing one:
  • If you compile Samba from the sources, use the same "configure" options like for your previous version. For more information, see Build Samba From the Sources.
  • If you update using packages, read the distribution documentation for information how to update.
  • Start Samba.
Start the same daemons like for your previous version:
  • On Samba AD DCs: samba
  • On Samba NT4-style PDC/BDCs: smbd, nmbd
  • On Samba domain members: smbd, nmbd (winbind, if used)
  • On Samba standalone hosts: smbd
  • Check your Samba log files for errors.
  • Test your updated installation.



Notable Enhancements and Changes

This section provides a list of notable enhancements and changes. In any case, read all release notes of versions between the previous and the new one. They contain important and additional information on new features, changed parameter options, and so on.


All Samba Installations

File Execution Permissions

Updating to 4.0.0 and later

For more information, see Execution of files.


Samba Active Directory Domain Controllers

Fixing replPropertyMetaData Attributes

Updating to 4.5.0 and later

Samba versions prior 4.5.0 stored the replPropertyMetaData attribute incorrectly. As a consequence, administrators could experience renaming conflicts or bad failure modes. The problem has been fixed in 4.5.0 and later versions and Samba now stores the attribute correctly. Additionally, samba-tool has been enhanced to detect incorrectly stored replPropertyMetaData attributes:

# samba-tool dbcheck --cross-ncs

To fix the attributes, run:

# samba-tool dbcheck --cross-ncs --fix
...
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com: 0x00000003
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com: 0x00000000
ERROR: unsorted attributeID values in replPropertyMetaData on CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

Fix replPropertyMetaData on CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com by sorting the attribute list? [YES]
Fixed attribute 'replPropertyMetaData' of 'CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com'

Because the replPropertyMetaData attribute is not replicated, you have to run the command on every Active Directory (AD) domain controller (DC) in your forest. After a repair of all objects, run the command without the "--fix" option to verify a successful operation.

Please note that the repair operation requires some time to complete. For example: 3500 objects in 5 minutes in a VM laboratory test environment (1 vCPU, 1 GB RAM, HDD image located on SSSD).


Default for LDAP Connections Requires Strong Authentication

Updating to 4.4.1 or later / 4.3.7 or later / 4.2.10 or later)

The security updates 4.4.1, 4.3.7 and 4.2.10 introduced a new smb.conf option for the Active Directory (AD) LDAP server to enforce strong authentication. The default for this new option "ldap server require strong auth" is "yes" and allows only simple binds over TLS encrypted connections. In consequence, external applications that connect to AD using LDAP, cannot establish a connection if they do not use or support TLS encrypted connections.

Applications connecting to Samba AD using the LDAP protocol without encryption, are displaying error messages like:

ldap_bind: Strong(er) authentication required (8)
       additional info: BindSimple: Transport encryption required.

For further information, see the 4.4.1, 4.3.7, or the 4.2.10 release notes.


AD Database Cleanup of Deleted LDAP DNS Entries

Updating to 4.1.12 or later

Previously, Samba incorrectly created many deleted Active Directory (AD) objects for removed DNS entries. The problem has been fixed. If you start the first Domain Controller (DC) with a fixed Samba version, all deleted objects are removed. As a result, this can result in a slow performance until the deleted objects are removed.


Incorrect TLS File Permissions

Updating to 4.1.2 or later / 4.0.12 or later

Previously, Samba created the *.pem files used for LDAP TLS encryptions with insecure permissions. To avoid insecure connections, delete the files on all domain controllers (DC):

# rm /usr/local/samba/private/tls/*.pem

Restart Samba after you deleted the files to automatically re-create the new certificates.


Fixing dynamic DNS update problems

Updating to 4.0.7 or later

See Fix DNS dynamic updates in Samba versions prior 4.0.7 for details.


Fixing incorrect Sysvol and Directory ACLs

Updating from early 4.0.x versions, 4.0 beta and 4.0 release candidates

  • To reset wrong Sysvol ACLs, run:
# samba-tool ntacl sysvolreset
  • To reset all well known ACLs in the directory, run:
# samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
  • To fix errors in the Active Directory (AD) database, run:
# samba-tool dbcheck --cross-ncs --fix


Samba Domain Members

No remarkable important changes.