Whilst it is possible to upgrade Samba by using the usual apt tools, the Samba Team recommends that a DC should first be demoted, followed by an upgrade to the desired version, and then rejoining the domain.
This is specially important if you are upgrading to a major versions, for example, 4.18 to 4.19. Due to the fact that most of the configuration remains the same, only the Samba databases and configuration files will need to be removed.
Once you are familiar with this procedure, it can be completed within a short time frame and requires only a few simple steps. Let us assume that we would like to upgrade DC2.
See Demoting a DC. There is no need to review the DNS entries, they will be re-created with the same name.
When demoting make sure the DC about to be demoted does not own any FSMO roles. Follow the link in the demote page.
systemctl stop samba-ad-dc.service
rm /run/samba/*.tdb \ /run/samba/*.ldb \ /var/lib/samba/*.tdb \ /var/lib/samba/*.ldb \ /var/cache/samba/*.tdb \ /var/cache/samba/*.ldb \ /var/lib/samba/private/*.tdb \ /var/lib/samba/private/*.ldb mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
This is now a good time if you want to use other sources or repositories, see using debian backports or maybe using Michael Tokarev repo. Then:
If you want to know what will be installed, try :
apt-get update && apt-cache policy samba
And look for “Candidate” line.
4.20 has a new package samba-ad-dc (split from other binaries in previous versions) that provides DC functionality.
Before 4.20, there is a meta-package with the same name that provides compatibility before the upgrade. It is recommended to install this meta package samba-ad-dc before upgrading to 4.20, so the upgrade has all its binaries in place and all works as expected.
If your version of Samba is very old and there is no samba-ad-dc meta package, please be aware you will need to install the additional package samba-ad-dc right after your upgrade.
apt-get install samba-ad-dc
Remember to add '-t bookworm-backports ' if using backports
A simple:
apt-get update && apt-get upgrade
will get the job done. Continue to Join Domain
You need to force the use of backports (first time only):
apt-get update && apt-get install --no-install-recommends -t bookworm-backports samba
Continue to Join Domain
samba-tool domain join mad.caponato.es DC -U"MAD\Administrator" --option="dns forwarder=1.1.1.1 8.8.8.8"
Se this article to sync Sysvol folders.
See this article to sync idmap.ldb between DCs (and why this needs to be done os a regular basis).
This procedure will check and reset if needed SysVol permissions.
reboot
samba-tool ntacl sysvolreset
If this server owned any or all FSMO roles before upgrading, you may want to transfer the roles back.