S4: upgrade provision problems

Matthieu Patou mat at samba.org
Sat Oct 9 11:24:35 MDT 2010

On 09/10/2010 20:46, Trever L. Adams wrote:
>   On 10/09/2010 10:31 AM, Matthieu Patou wrote:
>> Hi Trever,
>> Well there is no real reason to do upgradeprovision right now ...
> The only reason I did was that it was an old installation and I saw the
> message on the list about an acl permissions problem from the
> time/version I installed it. This message was sent to the list.
> It also said something about 1 missing or new object.
Yeah the new dns user that change the dns stuff
>>>    Hello everyone,
>>> 1st problem: After an upgradeprovision dns.keytab is empty. How does on
>>> go about regenerating it?
>> Did you used --full ?
> Yes, I did. On both installations (one I didn't need) dnc.keytab
> disappeared.
Well I didn't try to run upgradeprovision latetly and see the impact of 
the new user stuff on the keytab generation.
I guess it's safer for you to restore and just run upgradeprovision 
--debugall --resetfileacl but not with --full up to the moment when I 
check if it's ok with the dns stuff (which seems not to be the case 
right now).

>>> 2nd problem: I am getting errors about upgradeprovision not being able
>>> to set acls (I cannot reproduce this as it appears my provision cannot
>>> be upgraded with the script again).
>> Did you run it as root ?  if not it's the reason why you were not able
>> to set the acl correctly (unless you have extended attribute stored in
>> tdb, ie. with the posix:eadb = somefile.tdb)
>> You can ask upgradeprovision to retry to set your file acl with:
>> --resetfileacl
> I ran it as root. I have extended attributes (Linux) enabled for all
> file systems. I did see the posix:eadb in the error message. I forgot to
> mention it.
Can you rerun with --debugall and --resetfileacl, if you run as root you 
don't need the posix:eadb (it's a configuration option) especially if 
you also provisionned as root.
What getfattr -d -m "" /usr/local/samba/locks/sysvol (or the path where 
is stored the sysvol and netlogon).
> I will try the resetfileacl later. I am having trouble with ktpass.sh
> and getting service principles out at the moment (after restoring my
> provision).
> Any ideas?
> /bin/ktpass.sh --out imap.keytab --princ imap/fqdn --pass THEPASSWORD
> --enc rc4-hmac
> Unable to find kvno for principal imap/fqdn
>   check that you are authentified with kerberos
> I have done kinit as administrator.
Can you try:
* echo $hostname
* ldbsearch -H ldap://$hostname -k 1
* ldbsearch -H ldap://$hostname "(serviceprincipalname=*)"  -k 1
^ see if you see imap/fqdn


Matthieu Patou
Samba Team        http://samba.org

More information about the samba-technical mailing list