.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. |date| date:: .. meta:: :description: Upgrading a Samba domain controller from Debian10 Buster to Debian11 Bullseye :keywords: upgrade, Debian, Bullseye, Buster, documentation .. _server_upgrade_debian10_to_debian11: ###################################################################### Upgrading a Samba domain controller and bind from Debian10 to Debian11 ###################################################################### * Use case : Debian10 (Buster) domain controller with Samba 4.14.10 and bind9. * Since last CVE, Samba administrators are advised to upgrade to 4.15.5 to correct the defect. Here's the process. .. attention:: If you encounter a problem when updating the repository and if you get the errors ``gpg: no valid OpenPGP data found`` or ``wget: unable to resolve host address "mydomain.lan"``, you will need to check your :file:`/etc/resolv.conf` file and then add the following lines at the end of :file:`/root/.bashrc`: .. code-block:: bash export http_proxy="http://proxy:3128"; export https_proxy="http://proxy:3128"; * Backup your Samba domain (create backup folder) .. code-block:: bash mkdir /root/backup_samba mkdir /root/backup_samba/named * Stop the services .. code-block:: bash systemctl stop samba-ad-dc systemctl stop bind9 * Rsync your Data .. code-block:: bash rsync -aPv /var/lib/samba /root/backup_samba/ rsync -aPv /etc/samba/smb.conf /root/backup_samba/ rsync -aPv /var/lib/samba/bind-dns/ /root/backup_samba/named/ rsync -aPv /etc/default/bind9 /root/backup_samba/named/ rsync -aPv /etc/bind/named.conf.local /root/backup_samba/named/ rsync -aPv /etc/bind/named.conf.options /root/backup_samba/named/ * Update the TIS Samba repositories: .. code-block:: bash wget -qO- https://samba.tranquil.it/tissamba-pubkey.asc | tee /etc/apt/trusted.gpg.d/tissamba.asc sha256sum /etc/apt/trusted.gpg.d/tissamba.asc b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11 /etc/apt/trusted.gpg.d/tissamba.asc echo "deb https://samba.tranquil.it/debian/samba-4.15/ bullseye main" > /etc/apt/sources.list.d/tissamba.list * Change your Debian source file :file:`/etc/apt/sources.list`: .. code-block:: bash deb http://deb.debian.org/debian bullseye main deb-src http://deb.debian.org/debian bullseye main deb http://deb.debian.org/debian-security/ bullseye-security main deb-src http://deb.debian.org/debian-security/ bullseye-security main deb http://deb.debian.org/debian bullseye-updates main deb-src http://deb.debian.org/debian bullseye-updates main * Check :file:`/etc/apt/sources.list.d/` then select *tissamba.list* and change the version of Samba if necessary: .. code-block:: bash deb https://samba.tranquil.it/debian/samba-4.18/ bullseye main * Update the host: .. code-block:: bash export DEBIAN_FRONTEND=noninteractive apt-get update -y apt-get dist-upgrade -y unset DEBIAN_FRONTEND * Restart the host: .. code-block:: bash reboot * After reboot get your bind9 version .. code-block:: bash [root@srvads1.mydomain.lan bind]# named -V BIND 9.16.22-Debian (Extended Support Version) * Modify the :file:`/etc/bind/named.conf.local` file to match your bind9 version .. code-block:: bash dlz "mydomain.lan" { database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so"; }; * After modification, you can restart the service .. code-block:: bash systemctl restart bind9 * Tests and validation: .. code-block:: bash samba-tool --version samba-tool drs showrepl --summary samba-tool dbcheck --cross-ncs --fix --yes dig @localhost google.fr dig @localhost $(hostname -d) kinit klist