action #43313
Create an upgrade path from samba 4.6 to 4.7 with MIT kerberos
100%
Description
We have to do upgrade tests with our heimdal based samba 4.6 setups to samba 4.7 with MT kerberos
History
#1
Updated by flacco about 4 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 20
It seems much more difficult as expected. My first try ends up with an running samba AD DC, but without a KDC. ;-(
At first everything looks good, I checked the "old" AD for errors with "samba-tool dbcheck --cross-ncs --fix". There where a few errors around our DHCPD-Schema, but no show stopper.
After starting samba-ad-dc.service I could ask for users and groups with wbinfo -u and wbinfo -g. Looks good, but SSSD couldn't connect to the AD. I found out that theres now KDC process listening on UDP/TCP port 88. The samba log says:
"Jan 19 12:11:13 invis samba[1922]: task_server_terminate: [KDC: Initialize kadm5]
Jan 19 12:11:13 invis samba[1922]: [2019/01/19 12:11:13.188018, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 19 12:11:13 invis samba[1922]: /usr/lib/mit/sbin/krb5kdc: Failed to exec child - Permission denied
Jan 19 12:11:13 invis samba[1922]: [2019/01/19 12:11:13.189664, 0] ../source4/kdc/kdc-service-mit.c:348(mitkdc_server_done)
Jan 19 12:11:13 invis samba[1922]: The MIT KDC daemon died with exit status 255
Jan 19 12:11:13 invis samba[1922]: [2019/01/19 12:11:13.189759, 0] ../source4/smbd/service_task.c:35(task_server_terminate)
Jan 19 12:11:13 invis samba[1922]: task_server_terminate: [mitkdc child process exited]"
or with a higher log-level:
"Jan 19 12:25:40 invis samba[3066]: task_server_terminate: [KDC: Initialize kadm5]
Jan 19 12:25:40 invis krb5kdc[3075]: Cannot open DB2 database '/var/lib/kerberos/krb5kdc/principal': No such file or directory - while initial>
Jan 19 12:25:40 invis samba[3059]: STATUS=daemon 'samba' finished starting up and ready to serve connections
Jan 19 12:25:40 invis samba[3066]: [2019/01/19 12:25:40.644065, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
Jan 19 12:25:40 invis samba[3066]: /usr/lib/mit/sbin/krb5kdc: krb5kdc: cannot initialize realm KASSANDRA-NET.LOC - see log file for details
Jan 19 12:25:40 invis samba[3066]: [2019/01/19 12:25:40.650277, 0] ../source4/kdc/kdc-service-mit.c:348(mitkdc_server_done)
Jan 19 12:25:40 invis samba[3066]: The MIT KDC daemon died with exit status 1
Jan 19 12:25:40 invis samba[3066]: [2019/01/19 12:25:40.650375, 0] ../source4/smbd/service_task.c:35(task_server_terminate)
Jan 19 12:25:40 invis samba[3066]: task_server_terminate: [mitkdc child process exited]"
With "/usr/lib/mit/sbin/kdb5_util create -r KASSANDRA-NET.LOC -s" it is possible to create the missing principal database. After that the kdc starts, but the sssd conection fails anyway.
I should mention that on a native installed invis-Server 14.0 there is no principal database in /var/lib/kerberos/krb5kdc, but everything works.
There is the possibility that my upgrade process fails, caused by an active AppArmor Framwork. The new samba-daemon needs updates AppArmor-profiles...
#2
Updated by flacco about 4 years ago
New information about switching from heimdal to MIT found: https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC#Migrating_a_DC_That_Previously_Used_the_Heimdal_KDC
Next try with this infos is in progress.
#3
Updated by flacco about 4 years ago
- % Done changed from 20 to 40
OK, looks better. While migrate from Heimdal to KIT we have to create a kdc.conf manually in /var/lib/samba/private.
#4
Updated by flacco about 4 years ago
- % Done changed from 40 to 80
Bingo!
It works. The whole invis-Server Upgrade Path from V. 13.5 to 14.0 will be found here:
https://wiki.invis-server.org/doku.php/invis_server_wiki:upgrade:13.5_to_14.0
#5
Updated by flacco about 4 years ago
- Status changed from In Progress to Closed
- % Done changed from 80 to 100
#6
Updated by ingogoeppert over 3 years ago
- Subject changed from Create an upgrade path from samba 4.6 ti 4.7 with MIT kerberos to Create an upgrade path from samba 4.6 to 4.7 with MIT kerberos
#7
Updated by ingogoeppert over 3 years ago
- Target version changed from Future to 13.5