- 1 Introduction
- 2 Common misconceptions about Samba 4
- 3 Migrating a Samba NT4-style domain to Samba Active Directory
- 4 General notes
- 5 Best Practices Updating Multiple Samba Domain Controllers
- 6 Update process
- 7 Update an early Samba 4 version on Samba Active Directory DCs
- 8 Other changes you should pay attention to, when updating
- 8.1 File execution permissions when upgrading from 3x to 4x
- 8.2 On Samba Active Directory DC's
- 8.2.1 Fixing the replPropertyMetaData attributes (updating from < 4.5.0)
- 8.2.2 Default for LDAP Connections Requires Strong Authentication (updating from <=4.4.0, <=4.3.6 or <=4.2.9)
- 8.2.3 AD database cleanup of deleted LDAP DNS entries (updating from <= 4.1.11)
- 8.2.4 Wrong TLS .pem file permissions (updating from <= 4.0.11 or 4.1.1)
- 8.2.5 Fixing dynamic DNS update problems (updating from < 4.0.7)
This is a general documentation on how to update a Samba installation.
Common misconceptions about Samba 4
One of the common misconceptions is, that Samba 4 automatically means „Active Directory only“: That's wrong!
Acting as a Active Directory Domain Controller is one of the enhancements, included in Samba 4. But version 4 is also just the next release after the 3.6 series and contain all features of the previous ones - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to 4.x, like you've updated it in the past (e. g. from 3.4.x to 3.5.x). You won't move your NT4-style domain to an Active Directory automatically!
And of course the possibility remains unchanged, to setup a new NT4-style PDC with Samba 4.x, like done in the past (e. g. with openLDAP backend). Active Directory support in Samba 4 is additional and does not replace any of these features. We do understand the difficulty presented by existing LDAP structures and for that reason there isn't a plan to decommission the classic PDC support. It remains tested by the continuous integration system.
The code that supports the classic Domain Controller is also the same code that supports the internal 'Domain' of standalone servers and Domain Member Servers. This means that we still use this code, even when not acting as an AD Domain Controller. It is also the basis for some of the features of FreeIPA and so it gets development attention from that direction as well.
Migrating a Samba NT4-style domain to Samba Active Directory
Note: Samba 4 is just the next release after 3.6. Samba 4 doesn't mean „Active Directory only“. You can simply update your NT4-style domain to the latest 4x version, like you had installed updates in the past.
If the type of installation (Active Directory Domain Controller, NT4-style PDC, Member Server) does not change, you can simply follow the steps below to update.
Best Practices Updating Multiple Samba Domain Controllers
When you plan to update multple Samba Active Directory Domain Controllers on your network, the recommended way is:
- Update one of the Samba AD DCs, that is is not holding any FSMO role.
- Start Samba on the updated DC and check that the replication between all DCs work successful („samba-tool drs showrepl“).
- Verify the installation, to ensure that the new version work like expected.
- Upgrade the other Samba DCs one at a time. Always make sure, that the replication is working properly.
The following steps are the same, regardless if you update a Samba AD DC, Samba NT4-style PDC or Samba Member Server.
- Stop all Samba services.
- Create a working backup!
- Read all release notes of versions since the one you are updating from! They will contain important and useful information i.e. parameters that have changed.
- Install the latest version over your existing one.
- If you compile Samba from source, download the latest version from http://www.samba.org. If you use the same "configure" options as for your previous version, Samba will be installed over the old binaries and will find its databases in the same place. But always check if some configure options have changed and need to be adapted!
- If you use packages, such as from SerNet, check out the packagers information on how to install.
- Start Samba. You only have to start the same processes as you did before.
- DC: samba
- NT4-style PDC: smbd, nmbd
- Member Server: smbd, nmbd (winbind, if you use it)
- Check your Samba logs for errors and problems.
- Test your new installed version.
Update an early Samba 4 version on Samba Active Directory DCs
Early versions of Samba 4 (Beta, RC, early 4.0.x) had some issues e. g. incorrect SysVol and directory ACLs. The following commands will fix these problems after you have updated.
- Reset well known ACLs in AD (without "--fix", it will only check the ACLs)
# samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
- Reset wrong SysVol ACLs (if you use the "sysvolcheck" option, it will check the ACLs instead)
# samba-tool ntacl sysvolreset
- Fix errors in the AD database (without "--fix", it will only check for errors)
# samba-tool dbcheck --cross-ncs --fix
Other changes you should pay attention to, when updating
File execution permissions when upgrading from 3x to 4x
See Execution of files.
On Samba Active Directory DC's
Fixing the replPropertyMetaData attributes (updating from < 4.5.0)
Samba versions prior 4.5.0 stored the replPropertyMetaData attribute incorrectly. As a consequence, administrators could experience renaming conflicts or bad failure modes. The problem has been fixed in 4.5.0 and later versions and Samba now stores the attribute correctly. Additionally, samba-tool has been enhanced to detect incorrectly stored replPropertyMetaData attributes:
# samba-tool dbcheck --cross-ncs
To fix the attributes, run:
# samba-tool dbcheck --cross-ncs --fix ... CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com: 0x00000003 CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com: 0x00000000 ERROR: unsorted attributeID values in replPropertyMetaData on CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com Fix replPropertyMetaData on CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com by sorting the attribute list? [YES] Fixed attribute 'replPropertyMetaData' of 'CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com'
Because the replPropertyMetaData attribute is not replicated, you have to run the command on every AD DC in your forest. After a repair of all objects, run the command without the "--fix" option to verify a successful operation.
Please note that the repair operation requires some time to complete. For example: 3500 objects in 5 minutes (VM test environment: 1 vCPU, 1 GB RAM, HDD image located on SSSD).
Default for LDAP Connections Requires Strong Authentication (updating from <=4.4.0, <=4.3.6 or <=4.2.9)
The following information might be relevant for you, if you're updating to a later version than mentioned above and have external applications connected over LDAP to your Active Directory:
The security updates 4.4.1, 4.3.7 and 4.2.10 introduced a new smb.conf option for the Active Directory LDAP server to enforce strong authentication. The default of this option ("ldap server require strong auth = yes") allows only simple binds over TLS encrypted connections. In consequence external applications that connect to Active Directory with LDAP can't establish a connection if they don't use or support TLS encrypted connections.
AD database cleanup of deleted LDAP DNS entries (updating from <= 4.1.11)
Previous versions of Samba DC's contained a bug, that may lead to many deleted LDAP objects for removed DNS entries (partial fix for bug #10749).
When the first DC with a version newer than 4.1.11 is started, these deleted objects are removed. Depending on the amount, this may result in slow performance until all the deleted objects from the previous version are removed.
Wrong TLS .pem file permissions (updating from <= 4.0.11 or 4.1.1)
- Remove TLS .pem files, because they were exposed by insecure permissions. They are re-created with correct permissions during the next Samba startup
# rm /usr/local/samba/private/tls/*.pem
Fixing dynamic DNS update problems (updating from < 4.0.7)
See Fix DNS dynamic updates in Samba versions prior 4.0.7 for details.