This is a general documentation on how to update a Samba installation.
Common misconceptions about Samba 4
One of the common misconceptions is, that Samba 4 automatically means „Active Directory only“: That's wrong!
Acting as a Active Directory Domain Controller is one of the enhancements, included in Samba 4. But version 4 is also just the next release after the 3.6 series and contain all features of the previous ones - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to 4.x, like you've updated it in the past (e. g. from 3.4.x to 3.5.x). You won't move your NT4-style domain to an Active Directory automatically!
And of course the possibility remains unchanged, to setup a new NT4-style PDC with Samba 4.x, like done in the past (e. g. with openLDAP backend). Active Directory support in Samba 4 is additional and does not replace any of these features. We do understand the difficulty presented by existing LDAP structures and for that reason there isn't a plan to decommission the classic PDC support. It remains tested by the continuous integration system.
The code that supports the classic Domain Controller is also the same code that supports the internal 'Domain' of standalone servers and Domain Member Servers. This means that we still use this code, even when not acting as an AD Domain Controller. It is also the basis for some of the features of FreeIPA and so it gets development attention from that direction as well.
Migrating a Samba NT4-style domain to Samba Active Directory
Note: Samba 4 is just the next release after 3.6. Samba 4 doesn't mean „Active Directory only“. You can simply update your NT4-style domain to the latest 4x version, like you had installed updates in the past.
If the type of installation (Active Directory Domain Controller, NT4-style PDC, Member Server) does not change, you can simply follow the steps below to update.
Best Practices Updating Multiple Samba Domain Controllers
When you plan to update multple Samba Active Directory Domain Controllers on your network, the recommended way is:
- Update one of the Samba AD DCs, that is is not holding any FSMO role.
- Start Samba on the updated DC and check that the replication between all DCs work successful („samba-tool drs showrepl“).
- Verify the installation, to ensure that the new version work like expected.
- Upgrade the other Samba DCs one at a time. Always make sure, that the replication is working properly.
The following steps are the same, regardless if you update a Samba AD DC, Samba NT4-style PDC or Samba Member Server.
- Stop all Samba services.
- Create a working backup!
- Read all release notes of versions since the one you are updating from! They will contain imporant and useful information, like parameters that have changed.
- Install the latest version over your existing one.
- If you compile Samba from source, download the latest version from http://www.samba.org. If you use the same „configure“ options, than for your previous version, Samba will be installed over the old binaries, tries to find its databases on the same place, etc. But always check if some configure options had changed and need to be adapted!
- If you use packages, like from SerNet, check out the packagers information on how to install.
- Start Samba. You only have to start the same processes, like you did before.
- DC: samba
- NT4-style PDC: smbd, nmbd
- Member Server: smbd, nmbd (winbind, if you use it)
- Check your Samba logs for errors and problems.
- Test your new installed version.
Updates of early Samba 4 version on Samba Active Directory DCs
Early version of Samba 4 (Beta, RC, early 4.0.x) had some issues like e. g. incorrect SysVol and directory ACLs. In the following you'll find commands to fix these problems, after you had updated.
- Reset well known ACLs in AD (without the „--fix“, it only checks)
# samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
- Reset wrong SysVol ACLs (if you use the option „sysvolcheck“ instead, the ACLs are only checked)
# samba-tool ntacl sysvolreset
- Fix errors in the AD database (without the „--fix“, it only checks)
# samba-tool dbcheck --cross-ncs --fix
Other changes you should pay attention to, when updating
File execution permissions when upgrading from 3x to 4x
See Execution of files.
On Samba Active Directory DC's
Wrong TLS .pem file permissions (updating from <= 4.0.11 or 4.1.1)
- Remove TLS .pem files, because they were exposed by insecure permissions. They are re-created with correct permissions during the next Samba startup
# rm /usr/local/samba/private/tls/*.pem
AD database cleanup of deleted LDAP DNS entries (updating from <= 4.1.11)
Previous versions of Samba DC's contained a bug, that may lead to many deleted LDAP objects for removed DNS entries (partial fix for bug #10749).
When the first DC with a version newer than 4.1.11 is started, these deleted objects are removed. Depending on the amount, this may result in slow performance until all the deleted objects from the previous version are removed.