[Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
Andrew Bartlett
abartlet at samba.org
Fri Feb 15 18:55:57 MST 2013
On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote:
> On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote:
> > Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3
> > (but do nothing after make install)? If it will make things worse in any
> > way, I can stay at 4.0.0. Thanks, Thomas.
>
> It's fine to upgrade. That protects you against the security issue we
> fixed in 4.0.1, and makes a significant number of other fixes.
My current testing shows that:
samba_upgradeprovision --full
dbcheck --cross-ncs [--fix [--yes]]
Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own
LDAP object. The --full is important, without that the result is
actually worse (as far as I can tell).
I would like to make some progress on this before I recommend it as the
final solution.
It is however pretty close, and better than what is in the database
right now.
These are the ldapcmp results:
Comparing:
'CN=ARES,OU=Domain
Controllers,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb]
'CN=ARES,OU=Domain
Controllers,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb]
ACEs found only in
tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb:
(OA;;SW;Validated-DNS-Host-Name;;DA)
(OA;;SW;Validated-DNS-Host-Name;;PS)
ACEs found only in
tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb:
(OA;;SW;DNS-Host-Name-Attributes;;DA)
(OA;;SW;DNS-Host-Name-Attributes;;PS)
FAILED
* Result for [DOMAIN]: FAILURE
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 39
Comparing:
'DC=release-4-0-0.samba.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb]
'DC=release-4-0-0.samba.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb]
Difference in ACE count:
=> 27
=> 28
ACEs found only in
tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb:
(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)
ACEs found only in
tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb:
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;ED)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;LA)
FAILED
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list