Upgrading a Samba domain controller and bind from Debian10 to Debian11

• Use case : Debian10 (Buster) domain controller with Samba 4.14.10 and bind9.

• Since last CVE, Samba administrators are advised to upgrade to 4.15.5 to correct the defect. Here’s the process.

Attention

If you encounter a problem when updating the repository and if you get the errors gpg: no valid OpenPGP data found or wget: unable to resolve host address "mydomain.lan", you will need to check your /etc/resolv.conf file and then add the following lines at the end of /root/.bashrc:

export http_proxy="http://proxy:3128";
export https_proxy="http://proxy:3128";

• Backup your Samba domain (create backup folder)

  mkdir /root/backup_samba
  mkdir /root/backup_samba/named
  

• Stop the services

  systemctl stop samba-ad-dc
  systemctl stop bind9
  

• Rsync your Data

  rsync -aPv /var/lib/samba /root/backup_samba/
  rsync -aPv /etc/samba/smb.conf /root/backup_samba/
  rsync -aPv /var/lib/samba/bind-dns/ /root/backup_samba/named/
  rsync -aPv /etc/default/bind9 /root/backup_samba/named/
  rsync -aPv /etc/bind/named.conf.local /root/backup_samba/named/
  rsync -aPv /etc/bind/named.conf.options /root/backup_samba/named/
  

• Update the TIS Samba repositories:

  wget -qO-  https://samba.tranquil.it/tissamba-pubkey.asc | tee /etc/apt/trusted.gpg.d/tissamba.asc
  sha256sum /etc/apt/trusted.gpg.d/tissamba.asc
     b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11  /etc/apt/trusted.gpg.d/tissamba.asc
  echo "deb https://samba.tranquil.it/debian/samba-4.15/ bullseye main" > /etc/apt/sources.list.d/tissamba.list
  

• Change your Debian source file /etc/apt/sources.list:

  deb http://deb.debian.org/debian bullseye main
  deb-src http://deb.debian.org/debian bullseye main
  
  deb http://deb.debian.org/debian-security/ bullseye-security main
  deb-src http://deb.debian.org/debian-security/ bullseye-security main
  
  deb http://deb.debian.org/debian bullseye-updates main
  deb-src http://deb.debian.org/debian bullseye-updates main
  

• Check /etc/apt/sources.list.d/ then select tissamba.list and change the version of Samba if necessary:

  deb https://samba.tranquil.it/debian/samba-4.19/ bullseye main
  

• Update the host:

  export DEBIAN_FRONTEND=noninteractive
  apt-get update -y
  apt-get dist-upgrade -y
  unset DEBIAN_FRONTEND
  

• Restart the host:

  reboot
  

• After reboot get your bind9 version

  [root@srvads1.mydomain.lan bind]# named -V
  BIND 9.16.22-Debian (Extended Support Version)
  

• Modify the /etc/bind/named.conf.local file to match your bind9 version

  dlz "mydomain.lan" {
  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so";
  };
  

• After modification, you can restart the service

  systemctl restart bind9
  

• Tests and validation:

  samba-tool --version
  samba-tool drs showrepl --summary
  samba-tool dbcheck --cross-ncs --fix --yes
  dig @localhost google.fr
  dig @localhost $(hostname -d)
  kinit
  klist