Caponato's Notebook

Whilst it is possible to upgrade Samba by using the usual `apt` tools, the Samba Team recommends that a DC should first be demoted, followed by an upgrade to the desired version, and then rejoining the domain.

This is especially important if you are upgrading to a major version, for example, 4.22 to 4.23. Since most of the configuration remains the same, only the Samba databases and configuration files will need to be removed.

Once you are familiar with this procedure, it can be completed within a short time frame and requires only a few simple steps. Let us assume that we would like to upgrade DC2.

See demoting a DC. There is no need to review the DNS entries — they will be re-created with the same name.

When demoting, make sure the DC about to be demoted does not own any FSMO roles. Follow the link in the demote page.

systemctl stop samba-ad-dc.service
systemctl disable samba-ad-dc.service

Your Samba DC is off, and no longer will be able to find a DC to connect to for rejoin.

Update your /etc/resolv.conf with a online DC, for example

#DC2 is this machine, let's comment it out.
#nameserver 192.168.0.3
#DC1 is my online DC.
nameserver 192.168.0.2

Samba will overwrite this file and all your tuning will be gone. Save it with a .bak extension and we will replace it once joined.

cp /etc/samba/smb.conf cp /etc/samba/smb.conf.bak

rm /run/samba/*.tdb \
/run/samba/*.ldb \
/var/lib/samba/*.tdb \
/var/lib/samba/*.ldb \
/var/cache/samba/*.tdb \
/var/cache/samba/*.ldb \
/var/lib/samba/private/*.tdb \
/var/lib/samba/private/*.ldb
 
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

This is now a good time if you want to use other sources or repositories. See using Debian backports or maybe using Michael Tokarev repo. Then:

If you want to know what will be installed, try:

apt-get update && apt-cache policy samba

Look for the `Candidate` line.

4.20 introduces a new package `samba-ad-dc` (split from other binaries in previous versions) that provides DC functionality.

Before 4.20, there is a meta-package with the same name that provides compatibility before the upgrade. It is recommended to install this meta-package `samba-ad-dc` before upgrading to 4.20, so the upgrade has all its binaries in place and everything works as expected.

If your version of Samba is very old and there is no `samba-ad-dc` meta-package, please be aware you will need to install the additional package `samba-ad-dc` right after your upgrade.

apt-get install samba-ad-dc

Remember to add `-t bookworm-backports` if using backports.

A simple:

apt-get update && apt-get upgrade

will get the job done. Continue to re-join the domain.

You need to force the use of backports (first time only):

apt-get update && apt-get install --no-install-recommends -t bookworm-backports samba

Continue to re-join the domain.

samba-tool domain join mad.caponato.es DC -U"MAD\Administrator" --option="dns forwarder=1.1.1.1 8.8.8.8"

See this article to sync SysVol folders.

See this article to sync idmap.ldb between DCs (and why this needs to be done on a regular basis).

This procedure will check and reset SysVol permissions if needed.

systemctl enable samba-ad-dc.service

cp /etc/samba/smb.conf.bak cp /etc/samba/smb.conf

Your Samba DC is back on line, so use this first as your primary DNS resolver.

#DC2 is this machine, and goes in first.
nameserver 192.168.0.3
#DC1.
nameserver 192.168.0.2

reboot

samba-tool ntacl sysvolreset

If this server owned any or all FSMO roles before upgrading, you may want to transfer the roles back.

See checking AD replication.

Caponato's Samba notebook. Start here or return to Main menu.