Updating Samba: Difference between revisions

From SambaWiki
(Added information about "ldap server require storng auth = yes")
(Rewrote text for "ldap requires strong auth" changes.)
Line 111: Line 111:
== On Samba Active Directory DC's ==
== On Samba Active Directory DC's ==


=== LDAP server requires strong authentication (updating from <=4.4.0, <=4.3.6 or <=4.2.9) ===
=== Default for LDAP Connections Requires Strong Authentication (updating from <=4.4.0, <=4.3.6 or <=4.2.9) ===


''The following information might be relevant for you, if you're updating to a later version than mentioned above and have external applications connected over LDAP to your Active Directory:''
In the scope of a large security update the default value of "ldap server require strong auth" was changed to "yes". This can cause external applications fail to connect over LDAP to the Active Directory! A value of "yes" allows only simple binds over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal. The preferred configuration for LDAP clients is to use SASL GSSAPI directly over ldap:// without using ldaps:// or START_TLS. To use LDAP with START_TLS and SASL GSSAPI (either Kerberos or NTLMSSP) sign/seal protection must be used by the client and server should be configured with "ldap server require strong auth = allow_sasl_over_tls". Consult OpenLDAP documentation how to set sign/seal protection in ldap.conf. For SSSD client configured with "id_provider = ad" or "id_provider = ldap" with "auth_provider = krb5", see sssd-ldap(5) manual for details on TLS session handling.


The security updates 4.4.1, 4.3.7 and 4.2.10 introduced a new smb.conf option for the Active Directory LDAP server to enforce strong authentication. The default of this option ("ldap server require strong auth = yes") allows only simple binds over TLS encrypted connections. In consequence external applications that connect to Active Directory with LDAP can't establish a connection if they don't use or support TLS encrypted connections.


For further information, see the [https://www.samba.org/samba/history/samba-4.4.1.html 4.4.1], [https://www.samba.org/samba/history/samba-4.3.7.html 4.3.7], or the [https://www.samba.org/samba/history/samba-4.2.10.html 4.2.10] release notes.

=== Wrong TLS .pem file permissions (updating from <= 4.0.11 or 4.1.1) ===

* Remove TLS .pem files, because they were exposed by insecure permissions. They are re-created with correct permissions during the next Samba startup
# rm /usr/local/samba/private/tls/*.pem




Line 129: Line 126:


When the first DC with a version newer than 4.1.11 is started, these deleted objects are removed. Depending on the amount, this may result in slow performance until all the deleted objects from the previous version are removed.
When the first DC with a version newer than 4.1.11 is started, these deleted objects are removed. Depending on the amount, this may result in slow performance until all the deleted objects from the previous version are removed.



=== Wrong TLS .pem file permissions (updating from <= 4.0.11 or 4.1.1) ===

* Remove TLS .pem files, because they were exposed by insecure permissions. They are re-created with correct permissions during the next Samba startup
# rm /usr/local/samba/private/tls/*.pem





Revision as of 18:02, 28 April 2016

Introduction

This is a general documentation on how to update a Samba installation.



Common misconceptions about Samba 4

One of the common misconceptions is, that Samba 4 automatically means „Active Directory only“: That's wrong!

Acting as a Active Directory Domain Controller is one of the enhancements, included in Samba 4. But version 4 is also just the next release after the 3.6 series and contain all features of the previous ones - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to 4.x, like you've updated it in the past (e. g. from 3.4.x to 3.5.x). You won't move your NT4-style domain to an Active Directory automatically!

And of course the possibility remains unchanged, to setup a new NT4-style PDC with Samba 4.x, like done in the past (e. g. with openLDAP backend). Active Directory support in Samba 4 is additional and does not replace any of these features. We do understand the difficulty presented by existing LDAP structures and for that reason there isn't a plan to decommission the classic PDC support. It remains tested by the continuous integration system.

The code that supports the classic Domain Controller is also the same code that supports the internal 'Domain' of standalone servers and Domain Member Servers. This means that we still use this code, even when not acting as an AD Domain Controller. It is also the basis for some of the features of FreeIPA and so it gets development attention from that direction as well.



Migrating a Samba NT4-style domain to Samba Active Directory

If you plan to migrate a Samba NT4 domain to Samba Active Directory, you should follow the Samba AD DC HowTo and the Classicupgrade HowTo instead!



General notes

Note: Samba 4 is just the next release after 3.6. Samba 4 doesn't mean „Active Directory only“. You can simply update your NT4-style domain to the latest 4x version, like you had installed updates in the past.

If the type of installation (Active Directory Domain Controller, NT4-style PDC, Member Server) does not change, you can simply follow the steps below to update.



Best Practices Updating Multiple Samba Domain Controllers

When you plan to update multple Samba Active Directory Domain Controllers on your network, the recommended way is:

  • Update one of the Samba AD DCs, that is is not holding any FSMO role.
  • Start Samba on the updated DC and check that the replication between all DCs work successful („samba-tool drs showrepl“).
  • Verify the installation, to ensure that the new version work like expected.
  • Upgrade the other Samba DCs one at a time. Always make sure, that the replication is working properly.



Update process

The following steps are the same, regardless if you update a Samba AD DC, Samba NT4-style PDC or Samba Member Server.

  • Stop all Samba services.
  • Create a working backup!
  • Read all release notes of versions since the one you are updating from! They will contain important and useful information i.e. parameters that have changed.
  • Install the latest version over your existing one.
  • If you compile Samba from source, download the latest version from http://www.samba.org. If you use the same "configure" options as for your previous version, Samba will be installed over the old binaries and will find its databases in the same place. But always check if some configure options have changed and need to be adapted!
  • If you use packages, such as from SerNet, check out the packagers information on how to install.
  • Start Samba. You only have to start the same processes as you did before.
  • DC: samba
  • NT4-style PDC: smbd, nmbd
  • Member Server: smbd, nmbd (winbind, if you use it)
  • Check your Samba logs for errors and problems.
  • Test your new installed version.



Update an early Samba 4 version on Samba Active Directory DCs

Early versions of Samba 4 (Beta, RC, early 4.0.x) had some issues e. g. incorrect SysVol and directory ACLs. The following commands will fix these problems after you have updated.

  • Reset well known ACLs in AD (without "--fix", it will only check the ACLs)
# samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
  • Reset wrong SysVol ACLs (if you use the "sysvolcheck" option, it will check the ACLs instead)
# samba-tool ntacl sysvolreset
  • Fix errors in the AD database (without "--fix", it will only check for errors)
# samba-tool dbcheck --cross-ncs --fix



Other changes you should pay attention to, when updating

File execution permissions when upgrading from 3x to 4x

See Execution of files.


On Samba Active Directory DC's

Default for LDAP Connections Requires Strong Authentication (updating from <=4.4.0, <=4.3.6 or <=4.2.9)

The following information might be relevant for you, if you're updating to a later version than mentioned above and have external applications connected over LDAP to your Active Directory:

The security updates 4.4.1, 4.3.7 and 4.2.10 introduced a new smb.conf option for the Active Directory LDAP server to enforce strong authentication. The default of this option ("ldap server require strong auth = yes") allows only simple binds over TLS encrypted connections. In consequence external applications that connect to Active Directory with LDAP can't establish a connection if they don't use or support TLS encrypted connections.

For further information, see the 4.4.1, 4.3.7, or the 4.2.10 release notes.


AD database cleanup of deleted LDAP DNS entries (updating from <= 4.1.11)

Previous versions of Samba DC's contained a bug, that may lead to many deleted LDAP objects for removed DNS entries (partial fix for bug #10749).

When the first DC with a version newer than 4.1.11 is started, these deleted objects are removed. Depending on the amount, this may result in slow performance until all the deleted objects from the previous version are removed.


Wrong TLS .pem file permissions (updating from <= 4.0.11 or 4.1.1)

  • Remove TLS .pem files, because they were exposed by insecure permissions. They are re-created with correct permissions during the next Samba startup
# rm /usr/local/samba/private/tls/*.pem


Fixing dynamic DNS update problems (updating from < 4.0.7)

See Fix DNS dynamic updates in Samba versions prior 4.0.7 for details.