Updating Samba-AD on RHEL and derivative

RPM repositories are signed, and it is recommended that you validate package signing by setting the GPG key on YUM repositories.

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8  http://samba.tranquil.it/RPM-GPG-KEY-TISSAMBA-8 sha256sum /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8
  b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11  /var/www/samba/RPM-GPG-KEY-TISSAMBA-8

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8

Before each update it is necessary to make a backup of the machine. It will also be interesting to isolate it if there are other servers in replication in case something goes wrong and you want to go back to a snapshot (attention, going back to a snapshot in an AD environment is not something trivial !).

systemctl stop samba
rsync -aP /var/lib/samba/ /root/backup_samba_20210520/
systemctl start samba

After each update it is necessary to check the database. Indeed the Samba code takes more and more special cases into account, and it may be necessary to make a pass on the database to conform certain attributes or structure types.

samba -V
systemctl restart samba
samba-tool dbcheck --cross-ncs
samba-tool dbcheck --cross-ncs --fix --yes

Note

If you have only one internal DNS AD in your domain, you will need to temporarily add a second DNS server in /etc/resolv.conf to allow DNS queries to be made while the Samba server is off.

Note

If the server doesn’t take new packages into account during the upgrade, it may be useful to run yum clean metadata to make sure it takes into account the updated configuration of the tis-samba repository.

Minor Samba update in the same major branch (4.17, 4.18, 4.19, etc.)

If you have followed the documentation for the repository configuration a simple upgrade is enough. As mentioned above a backup before and a samba-tool dbcheck --fix --yes after upgrade is recommended.

With some upgrades (e.g. version 4.11.5) it may be necessary to carry out further manipulations. For this it is advisable to read the Samba Changelog.

yum upgrade

Upgrading Samba 4.11 or later to 4.19

echo "[tis-samba]
name=tis-samba
baseurl=http://samba.tranquil.it/redhat8/samba-4.19/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo

  • Launch the update:

    yum makecache
systemctl stop samba
yum install -y samba samba-winbind samba-winbind-clients krb5-workstation ldb-tools bind ntp bind-utils samba-client
systemctl enable samba
systemctl restart samba

  • After the update, run a dbcheck as mentioned above:

    samba -V
systemctl restart samba
samba-tool dbcheck --cross-ncs
samba-tool dbcheck --cross-ncs --fix --yes

Upgrading Samba 4.10 to Samba 4.11 on CentOS7

When upgrading Samba packages, package names may evolve to comply with naming rules. There may also be changes with the gradual switch to Python 3 and at the same time a gradual abandonment of Python 2.

As for the upgrade 4.9 to 4.10 it is necessary to uninstall the Samba packages so that they can update themselves correctly. Indeed with the arrival of Python 3 support in CentOS7 the new naming standard for Python 3 packages is python-3 and no longer python-36. The data is not affected by this manipulation.

echo "[tis-samba]
name=tis-samba
baseurl=http://samba.tranquil.it/redhat7/samba-4.11/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TISSAMBA-8" > /etc/yum.repos.d/tissamba.repo

  • Launch the update:

    yum makecache
systemctl stop samba
yum remove python36-samba
yum install -y samba samba-winbind samba-winbind-clients krb5-workstation ldb-tools bind ntp bind-utils samba-client
systemctl enable samba
systemctl restart samba

  • After the update, run a dbcheck as mentioned above:

    samba -V
systemctl restart samba
samba-tool dbcheck --cross-ncs
samba-tool dbcheck --cross-ncs --fix --yes