Hi Louis, On Mon, Jul 31, 2017 at 02:02:52PM +0200, L.P.H. van Belle wrote: > Hai Roberto, > > Thank you for your insight also. > Can you post you complete (anonimized where needed) smb.conf. > And the running version you have and the version your upgrading to. > This way we have most of the needed info. > Here is the smb.conf:
# Global parameters [global] workgroup = EXAMPLE realm = EXAMPLE.COM netbios name = SAMBA-ADDC1 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes printing = CUPS printcap name = /dev/null kerberos method = secrets and keytab #ldap server require strong auth = allow_sasl_over_tls ldap server require strong auth = no map to guest = bad user tls enabled = yes tls keyfile = /etc/ssl/samba-addc1.example.com/samba-addc1.example.com.key tls certfile = /etc/ssl/samba-addc1.example.com/samba-addc1.example.com.pem tls cafile = /etc/ssl/cacert.pem idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config EXAMPLE:backend = ad idmap config EXAMPLE:schema_mode = rfc2307 idmap config EXAMPLE:range = 10000-20000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes log level = 2 syslog = 3 [netlogon] path = /var/lib/samba/sysvol/example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No The server was initially installed with wheezy, using the Samba 4 backport packages (this was around the end of 2014), then upgraded to jessie when it became the stable release. The currently installed version of Samba is: 2:4.2.14+dfsg-0+deb8u7+b1 The version I am trying to install (as part of the dist-upgrade to stretch) is: 2:4.5.8+dfsg-2+deb9u1+b1 I have read through all of the upstream release notes and changelogs, as well as the NEWS file in the Debian package to make sure that I don't have anything in the configuration that will cause problems. After reviewing, there is nothing in my configuration that makes me think I need to change it prior to upgrading. > In general. > For samba ( standalone/members ) systemd uses one or more : smbd nmbd winbind > For samba ( AD DC ) systemd uses samba-ad-dc > Yes, and that is how it appears to be with the systems on my network. > The change to samba AD DC with systemd is: > > systemctl disable smbd nmbd winbind > systemctl mask smbd nmbd winbind > systemctl stop smbd nmbd winbind > > systemctl enable samba-ad-dc > systemctl unmask samba-ad-dc > systemctl start samba-ad-dc > Interestingly, I never had to do anything with systemctl when upgrading from wheezy to jessie. On the jessie system (prior to upgrade) here is what the systemd setup looks like: systemctl list-units |egrep 'samba|nmbd|smbd|winbind' nmbd.service loaded active exited LSB: start Samba NetBIOS nameserver (nmbd) samba-ad-dc.service loaded active running LSB: start Samba daemons for the AD DC smbd.service loaded active exited LSB: start Samba SMB/CIFS daemon (smbd) winbind.service loaded active exited LSB: start Winbind daemon After the first upgrade attempt failed I reset the VM snapshot and issued the 'systemctl mask' command you list above (I figured out on my own that it might be needed) and then the upgrade worked. Now the systemd setup looks like this (after manually masking smbd, nmbd, and winbind and after the upgrade): systemctl list-units |egrep 'samba|nmbd|smbd|winbind' samba-ad-dc.service loaded active running LSB: start Samba daemons for the AD DC That seems to work. I tried unmasking the masked units again to restore the configuration to the same way it was previously, but then that caused problems with things not starting correctly. I believe that if I leave the units unmasked the next upgrade (e.g., even a minor security upgrade) will execute the postinst in such a way as to cause the problem to recur. > > But, this wont help on the upgrade. > /var/lib/dpkg/info/winbind.postinst should detect the "AD DC" server. > The same way /var/lib/dpkg/info/samba.postinst is doing. > > I am not sure if it is related, but I think that there is a bug near line 79 of the samba.postinst: samba-addc1:~# samba-tool testparm --parameter-name="server role" active directory domain controller samba-addc1:~# echo $SERVER_ROLE active directory domain controller samba-addc1:~# samba-tool testparm --parameter-name="server services" s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate samba-addc1:~# echo $SERVER_SERVICES s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate samba-addc1:~# samba-tool testparm --parameter-name="dcerpc endpoint servers" epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver samba-addc1:~# echo $DCERPC_ENDPOINT_SERVERS epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver samba-addc1:~# if [ "$SERVER_ROLE" != "active directory domain controller" ] \ > && ( echo "$SERVER_SERVICES" | grep -qv '\(^\|, \)smb\(,\|$\)' ) \ > && ( echo "$DCERPC_ENDPOINT_SERVERS" | grep -qv '\(^\|, \)remote\(,\|$\)' ) \ > && ( echo "$DCERPC_ENDPOINT_SERVERS" | grep -qv '\(^\|, \)mapiproxy\(,\|$\)' > ) \ > ; then > echo "Ohai, I am an AD domain controller" > fi I believe that looking for "smb" in "server services" is perhaps too restrictive, though I am not sure. I would expect the configuration of my server pass the check and print the text of the echo I substituted. In any event, I don't think I fully understand what the postinst is trying to do, since on my system samba-ad-dc.service appears in several places, but never in /etc/systemd/system and I cannot tell if the fact the if condition evaluates to false on my system is related to the upgrade failure or if is solely the result of a misconfiguration. That is, perhaps it is my fault for not masking the smbd, nmbd, and winbind units when I configured for AD DC. If it helps, here are the locations of samba-ad-dc.service on the system in question. Prior to upgrade: find / -name samba-ad-dc.service -exec ls -Fd {} \; /run/systemd/generator.late/samba-ad-dc.service /run/systemd/generator.late/runlevel5.target.wants/samba-ad-dc.service@ /run/systemd/generator.late/runlevel4.target.wants/samba-ad-dc.service@ /run/systemd/generator.late/runlevel3.target.wants/samba-ad-dc.service@ /run/systemd/generator.late/runlevel2.target.wants/samba-ad-dc.service@ /sys/fs/cgroup/systemd/system.slice/samba-ad-dc.service/ After upgrade: find / -name samba-ad-dc.service -exec ls -Fd {} \; /etc/systemd/system/multi-user.target.wants/samba-ad-dc.service@ /lib/systemd/system/samba-ad-dc.service /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/samba-ad-dc.service /sys/fs/cgroup/devices/system.slice/samba-ad-dc.service/ /sys/fs/cgroup/pids/system.slice/samba-ad-dc.service/ /sys/fs/cgroup/systemd/system.slice/samba-ad-dc.service/ Let me know if I can provide any additional information or if I can help with anything else. -- Roberto C. Sánchez