Re-Provisioning Samba4 on a DC Master

This article describes the re-provision of a Samba 4 DC Master. Please see this article if a UCS@school environment is used.

Problem:

Several Samba 4 data is either lost or corrupt

The LDB-Data of Samba 4 (z.B. /var/lib/samba/private/sam.ldb) is corrupted/broken/lost and Samba 4 has to be re-provisioned.

Solution:

Samba 4 can be re-provisioned with the help of the existing LDAP data

The following steps will describe the needed procedure:
Note:
Make sure that all of your groups/users have a sambaSID in open LDAP. No offense: some older apps used non-UCS ways adding groups. Therefore a SID was added to the group in samba but not in OpenLDAP. Reprovisioning uses openLDAP Data only, so that these SIDs got lost and ACL problems e.g with shares access may occur, with immense restoration efforts.

1. Stop Samba 4 on all connected systems in the environment

If there are other Samba 4 systems available, samba 4 has to be stopped there - the naming of the init scripts changed to UCS 4 - both variants are explained:

# UCS 4:
invoke-rc.d samba stop

# UCS 3:
invoke-rc.d samba4 stop

2. Sync time on DC Master:

rdate ptbtime1.ptb.de

3. Save RID Pools on DC Master: {#save-rid-pools-on-dc-master .ace-line}

ldbsearch -H /var/lib/samba/private/sam.ldb CN="RID Set" \
-b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)" > /root/ridpool.ldif

4. Stop Samba 4 and S4-Connector on DC Master

# UCS 4:
invoke-rc.d samba stop
invoke-rc.d univention-s4-connector stop

# UCS 3:
invoke-rc.d samba4 stop
invoke-rc.d univention-s4-connector stop

5. Move/Delete Samba 4 and S4-Connector data on DC Master

find /etc/univention/connector/ \( -name "s4*.sqlite" -o -name "lockingdb.sqlite" \) -exec mv "{}" "{}.bak_$(date +%s)" \;

rm -rf /var/lib/univention-connector/s4/*
mv /var/lib/samba/private "/var/lib/samba/private.bak_$(date +%s)"

6. Remove Samba 4 and S4-Connector packages on DC Master

univention-remove univention-samba4 univention-s4-connector

7. Set needed UCR-Variables for re-provision on DC Master

ucr set connector/s4/mapping/group/grouptype='false' \
connector/s4/mapping/sid_to_s4='true' \
samba4/provision/primary='true'

8. Install Samba 4 and S4-Connector packkages on DC Master

univention-install univention-s4-connector univention-samba4

9. Remove UCR variables which were set for re-provision on DC Master

ucr unset samba4/provision/primary \
connector/s4/mapping/sid_to_s4

10. Correct newly created RID-Pool with the help of the saved data on DC Master

A new RID-Pool was created by re-provision - it has to be corrected with the help of tha saved data - see pt.3:

ldbedit -H /var/lib/samba/private/sam.ldb CN="RID Set" \
-b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)"

The following attributes has to be corrected:

rIDAllocationPool
rIDPreviousAllocationPool
rIDNextRID

Please also see SDB-Artikel Samba 4 - RID Pool renewal

After the steps 1-10 the (test)-system should be rebooted and tested.

If there were other systems using samba 4 in this environment, all of them have to be re-joined!

2 Likes
Mastodon