Updating Samba: Difference between revisions

From SambaWiki
(Added "ID Mapping Configuration Verification" (4.6, domain members))
m (Rephrased sentences which version the information applies to)
Line 106: Line 106:
=== File Execution Permissions ===
=== File Execution Permissions ===


'''Updating to 4.0.0 and later.'''
'''4.0.0 and later'''


Previously, Samba did not check the execution bit of files. As a consequence, users could execute files, such as <code>*.exe</code> and <code>*.bat</code>, on a share, if the x-bit was not set. Samba has been enhanced and now denies to execute a file if the x-bit is not set. In situations, such as when upgrading from a previous version, your executable files can be missing the x-bit. As a workaround, you can enable the old behaviour, if you set the following parameter for individual shares or in the <code>[global]</code> section:
Previously, Samba did not check the execution bit of files. As a consequence, users could execute files, such as <code>*.exe</code> and <code>*.bat</code>, on a share, if the x-bit was not set. Samba has been enhanced and now denies to execute a file if the x-bit is not set. In situations, such as when upgrading from a previous version, your executable files can be missing the x-bit. As a workaround, you can enable the old behaviour, if you set the following parameter for individual shares or in the <code>[global]</code> section:
Line 118: Line 118:
=== The <code>ntvfs</code> File Server Back End Has Been Disabled ===
=== The <code>ntvfs</code> File Server Back End Has Been Disabled ===


'''Updating to 4.5.0 and later.'''
'''4.5.0 and later'''


Previously, Samba enabled users to provision a domain controller (DC) using the <code>ntvfs</code> file server back end. This back end was never supported, and thus the <code>ntvfs</code> feature is no longer build by default in Samba 4.5.0. Consequently, starting the <code>samba</code> service on a DC using the <code>ntvfs</code> back end failed after the update and the following error is logged:
Previously, Samba enabled users to provision a domain controller (DC) using the <code>ntvfs</code> file server back end. This back end was never supported, and thus the <code>ntvfs</code> feature is no longer build by default in Samba 4.5.0. Consequently, starting the <code>samba</code> service on a DC using the <code>ntvfs</code> back end failed after the update and the following error is logged:
Line 133: Line 133:
=== Fixing replPropertyMetaData Attributes ===
=== Fixing replPropertyMetaData Attributes ===


'''Updating to 4.5.0 and later.'''
'''4.5.0 and later'''


Samba versions prior to 4.5.0 stored the <code>replPropertyMetaData</code> attribute incorrectly. As a consequence, administrators could experience, for example, renaming conflicts. The problem has been fixed in 4.5.0 and later versions and Samba now stores the attribute correctly. The <code>samba-tool</code> utility has been enhanced to detect incorrectly stored <code>replPropertyMetaData</code> attributes:
Samba versions prior to 4.5.0 stored the <code>replPropertyMetaData</code> attribute incorrectly. As a consequence, administrators could experience, for example, renaming conflicts. The problem has been fixed in 4.5.0 and later versions and Samba now stores the attribute correctly. The <code>samba-tool</code> utility has been enhanced to detect incorrectly stored <code>replPropertyMetaData</code> attributes:
Line 160: Line 160:
=== Failure To Access Shares on Domain Controllers If <code>idmap config</code> Parameters Set in the <code>smb.conf</code> File ===
=== Failure To Access Shares on Domain Controllers If <code>idmap config</code> Parameters Set in the <code>smb.conf</code> File ===


'''Updating to 4.4.6 or later.'''
'''4.4.6 or later'''


The <code>winbindd</code> service on a Samba Active Directory (AD) domain controller (DC) automatically uses the IDs set in the Active Directory <code>uidNumber</code> and <code>gidNumber</code> attributes of user accounts and groups. If the attributes are not set, Samba generates IDs locally on the DC and stores them in the <code>idmap.ldb</code> database. Thus, on a Samba AD DC, <code>idmap config</code> parameters set in the <code>smb.conf</code> file were ignored. Due to a bug in Samba 4.4.6 and later, the parameters are no longer ignored and clients fail to connect to shares on the DC. To fix the problem:
The <code>winbindd</code> service on a Samba Active Directory (AD) domain controller (DC) automatically uses the IDs set in the Active Directory <code>uidNumber</code> and <code>gidNumber</code> attributes of user accounts and groups. If the attributes are not set, Samba generates IDs locally on the DC and stores them in the <code>idmap.ldb</code> database. Thus, on a Samba AD DC, <code>idmap config</code> parameters set in the <code>smb.conf</code> file were ignored. Due to a bug in Samba 4.4.6 and later, the parameters are no longer ignored and clients fail to connect to shares on the DC. To fix the problem:
Line 173: Line 173:
=== New Default for LDAP Connections Requires Strong Authentication ===
=== New Default for LDAP Connections Requires Strong Authentication ===


'''Updating to 4.4.1 or later / 4.3.7 or later / 4.2.10 or later.'''
'''4.4.1 or later / 4.3.7 or later / 4.2.10 or later'''


The security updates 4.4.1, 4.3.7 and 4.2.10 introduced a new <code>smb.conf</code> option for the Active Directory (AD) LDAP server to enforce strong authentication. The default for this new option <code>ldap server require strong auth</code> is <code>yes</code> and allows only simple binds over TLS encrypted connections. In consequence, external applications that connect to AD using LDAP, cannot establish a connection if they do not use or support TLS encrypted connections.
The security updates 4.4.1, 4.3.7 and 4.2.10 introduced a new <code>smb.conf</code> option for the Active Directory (AD) LDAP server to enforce strong authentication. The default for this new option <code>ldap server require strong auth</code> is <code>yes</code> and allows only simple binds over TLS encrypted connections. In consequence, external applications that connect to AD using LDAP, cannot establish a connection if they do not use or support TLS encrypted connections.
Line 188: Line 188:
=== AD Database Cleanup of Deleted LDAP DNS Entries ===
=== AD Database Cleanup of Deleted LDAP DNS Entries ===


'''Updating to 4.1.12 or later.'''
'''4.1.12 or later'''


Previously, Samba incorrectly created deleted Active Directory (AD) objects for removed DNS entries. The problem has been fixed. If you start the first Domain Controller (DC) with a fixed Samba version, all deleted objects are removed. As a result, this can result in a slow performance until the deleted objects are removed.
Previously, Samba incorrectly created deleted Active Directory (AD) objects for removed DNS entries. The problem has been fixed. If you start the first Domain Controller (DC) with a fixed Samba version, all deleted objects are removed. As a result, this can result in a slow performance until the deleted objects are removed.
Line 196: Line 196:
=== Incorrect TLS File Permissions ===
=== Incorrect TLS File Permissions ===


'''Updating to 4.1.2 or later / 4.0.12 or later.'''
'''4.1.2 or later / 4.0.12 or later'''


Previously, Samba created the <code>*.pem</code> files used for LDAP TLS encryptions with insecure permissions. To avoid insecure connections, delete the files on all domain controllers (DC):
Previously, Samba created the <code>*.pem</code> files used for LDAP TLS encryptions with insecure permissions. To avoid insecure connections, delete the files on all domain controllers (DC):
Line 208: Line 208:
=== Fixing Dynamic DNS Update Problems ===
=== Fixing Dynamic DNS Update Problems ===


'''Updating to 4.0.7 or later.'''
'''4.0.7 or later'''


See [[Fix_DNS_dynamic_updates_in_Samba_versions_prior_4.0.7|Fix DNS dynamic updates in Samba versions prior 4.0.7]] for details.
See [[Fix_DNS_dynamic_updates_in_Samba_versions_prior_4.0.7|Fix DNS dynamic updates in Samba versions prior 4.0.7]] for details.
Line 216: Line 216:
=== Fixing Incorrect Sysvol and Directory ACLs ===
=== Fixing Incorrect Sysvol and Directory ACLs ===


''' Updating from early 4.0.x versions, 4.0 beta and 4.0 release candidates.'''
''' When updating from early 4.0.x versions, 4.0 beta and 4.0 release candidates.'''


* To reset wrong Sysvol ACLs, run:
* To reset wrong Sysvol ACLs, run:
Line 234: Line 234:
=== ID Mapping Configuration Verification ===
=== ID Mapping Configuration Verification ===


'''Updating to 4.6.0 or later.'''
'''4.6.0 or later'''


Previously, Samba did not verified the ID mapping configuration in the <code>smb.conf</code> file on a domain member. Thus, users could set an incorrect ID mapping configuration, such as overlapping ID ranges or incorrect back ends for the default domain. Consequently, the <code>winbindd</code> service started and ID mapping failed or did not work as expected. The <code>testparm</code> utility has been enhanced and now reports incorrect ID mapping configurations. For example:
Previously, Samba did not verified the ID mapping configuration in the <code>smb.conf</code> file on a domain member. Thus, users could set an incorrect ID mapping configuration, such as overlapping ID ranges or incorrect back ends for the default domain. Consequently, the <code>winbindd</code> service started and ID mapping failed or did not work as expected. The <code>testparm</code> utility has been enhanced and now reports incorrect ID mapping configurations. For example:

Revision as of 08:49, 26 March 2017

Introduction

The following documentation describes the process of updating Samba to a newer version.

If you want to migrate a Samba NT4 domain to Samba Active Directory (AD), see Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade).


Common Misconceptions About Samba 4

The Active Directory (AD) Domain Controller (DC) support is one of the enhancements in Samba 4.0. However all newer versions include the features of previous versions - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to a recent version, just as you updated in the past - for example from 3.4.x to 3.5.x. There is no requirement to migrate an NT4-style domain to an AD.

Additionally, all recent versions continue to support setting up a new NT4-style PDC. The AD support in Samba 4.0 and later is optional and does not replace any of the PDC features. The Samba team understand the difficulty presented by existing LDAP structures. For that reason, there is no plan to remove the classic PDC support. Additionally we continue testing the PDC support in our continuous integration system.



Updating Multiple Samba Domain Controllers

If you are updating multiple Samba Active Directory (AD) Domain Controllers (DC), the recommended order is:

  • Update one Samba AD DC that does not hold any flexible single master operations (FSMO) role.
  • Start Samba on the updated DC.
  • Verify that the directory replication between all DCs is working correctly:
# samba-tool drs showrepl
  • Test the installation to ensure that the new version works correctly.
  • Upgrade all other Samba DCs one at a time and always verify that the replication is working correctly.



The Update Process

Run the following steps, whether you are updating a Samba Active Directory (AD) domain controller (DC), a Samba NT4-style PDC, a Samba domain member, or a standalone installation:

  • Stop all Samba services.
  • Create a backup.
  • Read all release notes of versions since the one you are updating from. They contain important information on new features, changed parameter options, and so on.
  • Install the latest version over your existing one:
  • If you compile Samba from the sources, use the same configure options as used for your previous version. For more information, see Build Samba From the Sources.
  • If you update using packages, read the distribution documentation for information how to update.
  • Start Samba.
Start the same daemons as your previous version:
  • On Samba AD DCs: samba
  • On Samba NT4-style PDC/BDCs: smbd, nmbd
  • On Samba domain members: smbd, nmbd (winbind, if used)
  • On Samba standalone hosts: smbd
  • Check your Samba log files for errors.
  • Test your updated installation.



Samba AD DC Database Check

The samba-tool utility enables you to detect and fix problems in the Samba Active Directory (AD) database. For example, if a previous Samba version stored an attribute incorrectly and the updated version fixes the problem. You must run the check and fix command on every Samba AD DC locally, because some fixes apply to non-replicated attributes and modifications are not replicated to other DCs.

To check the AD database, run:

# samba-tool dbcheck --cross-ncs

To fix reported errors, run:

# samba-tool dbcheck --cross-ncs --fix

If you pass the --yes parameter to the command, all questions are automatically answered with yes. Note that if you omit the --yes parameter, the database check executes three fsync() calls for each object. This can result result in a longer run duration. For example, passing the --yes parameter to the command fixed 3500 objects in 10 seconds in our test environment. Without this parameter, the command required 4:50 minutes for the same operation.

After a repair, re-check the database to verify a successful operation.



Notable Enhancements and Changes

If you are updating Samba, always read the release notes of all versions between the previous and the one you are updating to. They contain important and additional information on new features, changed parameter options, and so on.

This section provides an overview about important changes that require your attention to fix problems of previous versions, avoid a negative performance impact, and so on.


Changes Affecting All Samba Installation Modes

File Execution Permissions

4.0.0 and later

Previously, Samba did not check the execution bit of files. As a consequence, users could execute files, such as *.exe and *.bat, on a share, if the x-bit was not set. Samba has been enhanced and now denies to execute a file if the x-bit is not set. In situations, such as when upgrading from a previous version, your executable files can be missing the x-bit. As a workaround, you can enable the old behaviour, if you set the following parameter for individual shares or in the [global] section:

acl allow execute always = yes


Samba Active Directory Domain Controllers

The ntvfs File Server Back End Has Been Disabled

4.5.0 and later

Previously, Samba enabled users to provision a domain controller (DC) using the ntvfs file server back end. This back end was never supported, and thus the ntvfs feature is no longer build by default in Samba 4.5.0. Consequently, starting the samba service on a DC using the ntvfs back end failed after the update and the following error is logged:

[2016/09/01 08:00:00.000000,  0, pid=995] ../source4/smbd/service.c:98(server_service_startup)
  Failed to start service 'smb' - NT_STATUS_INVALID_SYSTEM_SERVICE
[2016/09/01 08:00:00.000000,  0, pid=995] ../lib/util/become_daemon.c:111(exit_daemon)
  STATUS=daemon failed to start: Samba failed to start services, error code -1073741796

To fix the problem, migrate the file server back end on your DC to the supported s3fs back end. For details, see Migrating the ntvfs File Server Back End to s3fs.


Fixing replPropertyMetaData Attributes

4.5.0 and later

Samba versions prior to 4.5.0 stored the replPropertyMetaData attribute incorrectly. As a consequence, administrators could experience, for example, renaming conflicts. The problem has been fixed in 4.5.0 and later versions and Samba now stores the attribute correctly. The samba-tool utility has been enhanced to detect incorrectly stored replPropertyMetaData attributes:

# samba-tool dbcheck --cross-ncs

To fix the attributes, run:

# samba-tool dbcheck --cross-ncs --fix --yes
...
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com: 0x00000003
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com: 0x00000000
ERROR: unsorted attributeID values in replPropertyMetaData on CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

Fix replPropertyMetaData on CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com by sorting the attribute list? [YES]
Fixed attribute 'replPropertyMetaData' of 'CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com'

Note that the --yes parameter automatically fixes all problems found and not only the replPropertyMetaData attributes!

Run the check and fix operation on all Samba Domain Controllers (DC), because replPropertyMetaData is a non-replicated attribute and modifications are not replicated to other DCs.

For more information, see the Samba AD DC database check section.


Failure To Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File

4.4.6 or later

The winbindd service on a Samba Active Directory (AD) domain controller (DC) automatically uses the IDs set in the Active Directory uidNumber and gidNumber attributes of user accounts and groups. If the attributes are not set, Samba generates IDs locally on the DC and stores them in the idmap.ldb database. Thus, on a Samba AD DC, idmap config parameters set in the smb.conf file were ignored. Due to a bug in Samba 4.4.6 and later, the parameters are no longer ignored and clients fail to connect to shares on the DC. To fix the problem:

  • Remove all idmap config parameters in the smb.conf file on DCs.
  • Restart the samba service.
  • Restart the clients.

As a result, clients now correctly connect to shares on the DC.


New Default for LDAP Connections Requires Strong Authentication

4.4.1 or later / 4.3.7 or later / 4.2.10 or later

The security updates 4.4.1, 4.3.7 and 4.2.10 introduced a new smb.conf option for the Active Directory (AD) LDAP server to enforce strong authentication. The default for this new option ldap server require strong auth is yes and allows only simple binds over TLS encrypted connections. In consequence, external applications that connect to AD using LDAP, cannot establish a connection if they do not use or support TLS encrypted connections.

Applications connecting to Samba AD using the LDAP protocol without encryption, will display the error message:

ldap_bind: Strong(er) authentication required (8)
       additional info: BindSimple: Transport encryption required.

For further information, see the 4.4.1, 4.3.7, or the 4.2.10 release notes.


AD Database Cleanup of Deleted LDAP DNS Entries

4.1.12 or later

Previously, Samba incorrectly created deleted Active Directory (AD) objects for removed DNS entries. The problem has been fixed. If you start the first Domain Controller (DC) with a fixed Samba version, all deleted objects are removed. As a result, this can result in a slow performance until the deleted objects are removed.


Incorrect TLS File Permissions

4.1.2 or later / 4.0.12 or later

Previously, Samba created the *.pem files used for LDAP TLS encryptions with insecure permissions. To avoid insecure connections, delete the files on all domain controllers (DC):

# rm /usr/local/samba/private/tls/*.pem

Restart Samba after you deleted the files to automatically re-create the new certificates.


Fixing Dynamic DNS Update Problems

4.0.7 or later

See Fix DNS dynamic updates in Samba versions prior 4.0.7 for details.


Fixing Incorrect Sysvol and Directory ACLs

When updating from early 4.0.x versions, 4.0 beta and 4.0 release candidates.

  • To reset wrong Sysvol ACLs, run:
# samba-tool ntacl sysvolreset
  • To reset all well known ACLs in the directory, run:
# samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
  • To fix errors in the Active Directory (AD) database, run:
# samba-tool dbcheck --cross-ncs --fix



Samba Domain Members

ID Mapping Configuration Verification

4.6.0 or later

Previously, Samba did not verified the ID mapping configuration in the smb.conf file on a domain member. Thus, users could set an incorrect ID mapping configuration, such as overlapping ID ranges or incorrect back ends for the default domain. Consequently, the winbindd service started and ID mapping failed or did not work as expected. The testparm utility has been enhanced and now reports incorrect ID mapping configurations. For example:

ERROR: The idmap range for the domain * (tdb) overlaps with the range of SAMDOM (ad)!
ERROR: Do not use the 'ad' backend as the default idmap backend!

Additionally, when using an incorrect ID mapping configuration, the winbindd service now fails to start and an error message is logged. For example:

[2017/03/01 12:00:00.000000,  0, pid=980] ../source3/winbindd/winbindd.c:1705(main)
  main: FATAL: Invalid idmap backend ad configured as the default backend!

Using Samba 4.6.0 and later, users are no longer able to use incorrect ID mapping configurations.

For further details, supported back ends on a domain member, and their configuration, see: