.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Upgrading a Samba domain controller from Debian10 Buster to Debian11 Bullseye
  :keywords: upgrade, Debian, Bullseye, Buster, documentation

.. _server_upgrade_debian10_to_debian11:

######################################################################
Upgrading a Samba domain controller and bind from Debian10 to Debian11
######################################################################

* Use case : Debian10 (Buster) domain controller with Samba 4.14.10 and bind9.
* Since last CVE, Samba administrators are advised to upgrade to 4.15.5 to correct the defect. Here's the process.


.. attention::

  If you encounter a problem when updating the repository and if you get the errors ``gpg: no valid OpenPGP data found`` or ``wget: unable to resolve host address "mydomain.lan"``, you will need to check your :file:`/etc/resolv.conf` file and then add the following lines at the end of :file:`/root/.bashrc`:

  .. code-block:: bash

    export http_proxy="http://proxy:3128";
    export https_proxy="http://proxy:3128";


* Backup your Samba domain (create backup folder)

  .. code-block:: bash

    mkdir /root/backup_samba
    mkdir /root/backup_samba/named
    
* Stop the services
  
  .. code-block:: bash

    systemctl stop samba-ad-dc
    systemctl stop bind9

* Rsync your Data


  .. code-block:: bash

    rsync -aPv /var/lib/samba /root/backup_samba/
    rsync -aPv /etc/samba/smb.conf /root/backup_samba/
    rsync -aPv /var/lib/samba/bind-dns/ /root/backup_samba/named/
    rsync -aPv /etc/default/bind9 /root/backup_samba/named/
    rsync -aPv /etc/bind/named.conf.local /root/backup_samba/named/
    rsync -aPv /etc/bind/named.conf.options /root/backup_samba/named/


* Update the TIS Samba repositories:

  .. code-block:: bash

     wget -qO-  https://samba.tranquil.it/tissamba-pubkey.asc | tee /etc/apt/trusted.gpg.d/tissamba.asc
     sha256sum /etc/apt/trusted.gpg.d/tissamba.asc
        b3cd8395e3d211a8760e95b9bc239513e9384d6c954d17515ae29c18d32a4a11  /etc/apt/trusted.gpg.d/tissamba.asc
     echo "deb https://samba.tranquil.it/debian/samba-4.15/ bullseye main" > /etc/apt/sources.list.d/tissamba.list

* Change your Debian source file :file:`/etc/apt/sources.list`:

  .. code-block:: bash

    deb http://deb.debian.org/debian bullseye main
    deb-src http://deb.debian.org/debian bullseye main

    deb http://deb.debian.org/debian-security/ bullseye-security main
    deb-src http://deb.debian.org/debian-security/ bullseye-security main

    deb http://deb.debian.org/debian bullseye-updates main
    deb-src http://deb.debian.org/debian bullseye-updates main


* Check :file:`/etc/apt/sources.list.d/` then select *tissamba.list* and change the version of Samba if necessary:

  .. code-block:: bash

    deb https://samba.tranquil.it/debian/samba-4.19/ bullseye main

* Update the host:

  .. code-block:: bash

    export DEBIAN_FRONTEND=noninteractive
    apt-get update -y
    apt-get dist-upgrade -y
    unset DEBIAN_FRONTEND

* Restart the host:

  .. code-block:: bash

    reboot

* After reboot get your bind9 version

  .. code-block:: bash

    [root@srvads1.mydomain.lan bind]# named -V
    BIND 9.16.22-Debian (Extended Support Version)

* Modify the :file:`/etc/bind/named.conf.local` file to match your bind9 version 

  .. code-block:: bash

    dlz "mydomain.lan" {
    database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so";
    };

* After modification, you can restart the service

  .. code-block:: bash

    systemctl restart bind9
    

* Tests and validation:

  .. code-block:: bash

    samba-tool --version
    samba-tool drs showrepl --summary
    samba-tool dbcheck --cross-ncs --fix --yes
    dig @localhost google.fr
    dig @localhost $(hostname -d)
    kinit
    klist

