This is a general documentation on how to update a Samba installation.
Common misconceptions about Samba 4
One of the common misconceptions is, that Samba 4 automatically means „Active Directory only“: That's wrong!
Acting as a Active Directory Domain Controller is one of the enhancements, included in Samba 4. But version 4 is also just the next release after the 3.6 series and contain all features of the previous ones - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to 4.x, like you've updated it in the past (e. g. from 3.4.x to 3.5.x). You won't move your NT4-style domain to an Active Directory automatically!
And of course the possibility remains unchanged, to setup a new NT4-style PDC with Samba 4.x, like done in the past (e. g. with openLDAP backend). Active Directory support in Samba 4 is additional and does not replace any of these features. We do understand the difficulty presented by existing LDAP structures and for that reason there isn't a plan to decommission the classic PDC support. It remains tested by the continuous integration system.
The code that supports the classic Domain Controller is also the same code that supports the internal 'Domain' of standalone servers and Domain Member Servers. This means that we still use this code, even when not acting as an AD Domain Controller. It is also the basis for some of the features of FreeIPA and so it gets development attention from that direction as well.
Migrating a Samba NT4-style domain to Samba Active Directory
Note: Samba 4 is just the next release after 3.6. Samba 4 doesn't mean „Active Directory only“. You can simply update your NT4-style domain to the latest 4x version, like you had installed updates in the past.
If the type of installation (Active Directory Domain Controller, NT4-style PDC, Member Server) does not change, you can simply follow the steps below to update.
The following steps are the same, regardless if you update a Samba AD DC, Samba NT4-style PDC or Samba Member Server.
- Stop all Samba services.
- Create a working backup!
- Read all release notes of versions since the one you are updating from! They will contain imporant and useful information, like parameters that have changed.
- Install the latest version over your existing one.
- If you compile Samba from source, download the latest version from http://www.samba.org. If you use the same „configure“ options, than for your previous version, Samba will be installed over the old binaries, tries to find its databases on the same place, etc. But always check if some configure options had changed and need to be adapted!
- If you use packages, like from SerNet, check out the packagers information on how to install.
- Start Samba. You only have to start the same processes, like you did before.
- DC: samba
- NT4-style PDC: smbd, nmbd
- Member Server: smbd, nmbd (winbind, if you use it)
- Check your Samba logs for errors and problems.
- Test your new installed version.
Updates of early Samba 4 version on Samba Active Directory DCs
Early version of Samba 4 (Beta, RC, early 4.0.x) had some issues like e. g. incorrect SysVol and directory ACLs. In the following you'll find commands to fix these problems, after you had updated.
- Reset well known ACLs in AD (without the „--fix“, it only checks)
# samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
- Reset wrong SysVol ACLs (if you use the option „sysvolcheck“ instead, the ACLs are only checked)
# samba-tool ntacl sysvolreset
- Fix errors in the AD database (without the „--fix“, it only checks)
# samba-tool dbcheck --cross-ncs --fix
Other changes, you should pay attention to, when updating
File execution permissions when upgrading from 3x to 4x
See Execution of files.
On Samba Active Directory DCs
Updating best practices
- When you have multiple samba AD DC on your network you should following steps:
- Upgrade one of your Samba AD DC, Preferred Not holding any FSMO or RODC
- Start your new version of Samba AD DC and wait for it to run and complete the replication process
- Verify there isn't any issue on this new version of Samba AD DC (Shutdown old AD DC or etc)
- Upgrade the other server one at a time and wait for the replication complete.
Updating from <= 4.0.11 or 4.1.1:
- Remove TLS .pem files, because they were exposed by insecure permissions. They are re-created with correct permissions during the next Samba startup
# rm /usr/local/samba/private/tls/*.pem
Updating from <= 4.0.11 or 4.1.11:
- Upgrade to new AD DC and wait for it to run (Partial fix for bug #10749) and replicate completely before upgrading other AD DC.