upgradeprovision --full fails to find CN=NTDS Settings

Michael Wood esiotrot at gmail.com
Sun Dec 18 05:42:28 MST 2011 

On 17 December 2011 12:39, Michael Wood <esiotrot at gmail.com> wrote:
> Hi
>
> I'm trying to upgrade an old installation of Samba 4 from
> 4.0.0alpha12-GIT-77b9b97 to 4.0.0alpha18-GIT-35605fa.
>
> The build works fine.
>
> samba-tool dbcheck --fix finds and fixes a bunch of things.

The vast majority of the fixes are like this:

ERROR: missing GUID component for objectCategory in object
CN=System,DC=example,DC=com -
CN=Container,CN=Schema,CN=Configuration,DC=example,DC=com
Change DN to <GUID=47288117-6896-4151-b2af-4921180a3ccf>;CN=Container,CN=Schema,CN=Configuration,DC=example,DC=com?
[YES]
Fixed missing GUID on attribute objectCategory

and it ends like this:

ERROR: dsServiceName not in GUID form in @ROOTDSE
Change dsServiceName to GUID form? [y/N] y
Changed dsServiceName to GUID form
Checked 870 objects (226 errors)

If I run it again immediately I get this:

# samba-tool dbcheck --fix
Checking 870 objects
Fix isDeleted originating_change_time on 'CN=Deleted
Objects,DC=example,DC=com' [y/N/all/none] y
Checked 870 objects (1 errors)
# samba-tool dbcheck --fix
Checking 870 objects
Fix isDeleted originating_change_time on 'CN=Deleted
Objects,DC=example,DC=com' [y/N/all/none] y
Checked 870 objects (1 errors)

So although it asks if I want to fix that error, it can't seem to do it.

And with -d10:

# samba-tool dbcheck --fix --yes -d10
INFO: Current debug levels:
[...]
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[globals]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
Security token SIDs (1):
  SID[  0]: S-1-5-18
 Privileges (0xFFFFFFFFFFFFFFFF):
[...]
 Rights (0x               0):
lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[yes] updates allowed[no]
Checking 870 objects
Fix isDeleted originating_change_time on 'CN=Deleted
Objects,DC=example,DC=com' [YES]
ldb:acl_modify: isDeleted
Sorting rpmd with attid exception 3 rDN=CN DN=CN=Deleted
Objects,DC=example,DC=com
Checked 870 objects (1 errors)

> upgradeprovision completes without complaint.

This is what it actually says:

# upgradeprovision
Creating a reference provision
No IPv6 address will be assigned
Copy privilege
Update base samdb by searching difference with reference one
You still have the old DNS object for managing dynamic DNS, but you
didn't supply --full so a correct update can't be done

so no errors, but I'm not sure if it did anything.

> But upgradeprovision --full fails as follows (with some debug print
> statements added just before the failure):
>
> Creating a reference provision
> No IPv6 address will be assigned
> Copy privilege
> Update base samdb by searching difference with reference one
> Starting update of samdb
> There are 76 missing objects
> Reloading a merged schema, which might trigger reindexing so please be patient
> Schema reloaded!
> dn= CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> basedn= DC=example,DC=com
> attrs= msDS-hasMasterNCs
> res.count == 0
> Exception during upgrade of samdb:
> Traceback (most recent call last):
>  File "/usr/local/samba/sbin/upgradeprovision", line 1205, in update_partition
>    provisionUSNs)
>  File "/usr/local/samba/sbin/upgradeprovision", line 1080, in update_present
>    basedn, usns, samdb)
>  File "/usr/local/samba/sbin/upgradeprovision", line 904, in
> checkKeepAttributeWithMetadata
>    curval, refval, delta)
>  File "/usr/local/samba/sbin/upgradeprovision", line 788, in handle_links
>    for e in res[0][att]:
> IndexError: list index out of range
> Update failed
> Rolling back all changes. Check the cause of the problem
> Your system is as it was before the upgrade
>
> So it seems that this search for CN=NTDS Settings returns nothing:
>
>    res = samdb.search(expression="dn=%s" % dn, base=basedn,
>                        controls=["search_options:1:2", "reveal:1"],
>                        attrs=[att])
>
> The strange thing is that if I do the same search from the command
> line it works fine:
>
> # ldbsearch -H private/sam.ldb --controls="search_options:1:2
> reveal:1" "dn=CN=NTDS
> Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com"
> msDS-hasMasterNCs
> # record 1
> dn: CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> msDS-hasMasterNCs: CN=Configuration,DC=example,DC=com
> msDS-hasMasterNCs: CN=Schema,CN=Configuration,DC=example,DC=com
> msDS-hasMasterNCs: DC=example,DC=com

With the following workaround upgradeprovision --full completes, but
obviously hasn't fixed everything it should have:

--- a/sbin/upgradeprovision
+++ b/sbin/upgradeprovision
@@ -886,7 +886,7 @@ def checkKeepAttributeWithMetadata(delta, att, message, refe
     dn = current[0].dn

     for att in list(delta):
-        if att in ["dn", "objectSid"]:
+        if att in ["dn", "objectSid", "msDS-hasMasterNCs"]:
             delta.remove(att)
             continue

# upgradeprovision --full
Creating a reference provision
No IPv6 address will be assigned
Copy privilege
Update base samdb by searching difference with reference one
Starting update of samdb
There are 76 missing objects
Reloading a merged schema, which might trigger reindexing so please be patient
Schema reloaded!
There are 7 changed objects
Update of samdb finished
Update of secrets.ldb
IMPORTANT!!! If you were using Dynamic DNS before you need to update
your configuration, so that the tkey-gssapi-credential has the
following value: DNS/samba.example.com
Update machine account
Some defaultSecurityDescriptors and/orsecurityDescriptor have changed,
recalculating SD
Unable to set ACLs on policies related objects: an integer is required
Upgrade finished!
Reopenning samdb to trigger reindexing if needed after modification
Reindexing finished

Also, the message about not being able to set ACLs on policies related
to objects looks like it might be a problem.

Running dbcheck again after the upgradeprovision finds a bunch more GUID errors:

# samba-tool dbcheck --fix --yes
Checking 944 objects
ERROR: incorrect GUID component for objectCategory in object
DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
- <GUID=aae56a27-1de9-4188-afff-3a05b57aef73>;CN=Dns-Node,CN=Schema,CN=Configuration,DC=example,DC=com
Change DN to <GUID=cad206ef-f29f-4d88-8822-4b30cf4aef1b>;CN=Dns-Node,CN=Schema,CN=Configuration,DC=example,DC=com?
[YES]
Fixed incorrect GUID on attribute objectCategory
[...]
Checked 944 objects (83 errors)

And re-running dbcheck immediately finds another 2 errors (in addition
to the one from before) that it doesn't fix:

# samba-tool dbcheck --fix --yes
Checking 944 objects
ERROR: missing GUID component for wellKnownObjects in object
DC=DomainDnsZones,DC=example,DC=com -
B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted
Objects,DC=DomainDnsZones,DC=example,DC=com
unable to find object for DN CN=Deleted
Objects,DC=DomainDnsZones,DC=example,DC=com - (No such Base DN:
CN=Deleted Objects,DC=DomainDnsZones,DC=example,DC=com)
Not removing dangling forward link
ERROR: missing GUID component for wellKnownObjects in object
DC=ForestDnsZones,DC=example,DC=com -
B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted
Objects,DC=ForestDnsZones,DC=example,DC=com
unable to find object for DN CN=Deleted
Objects,DC=ForestDnsZones,DC=example,DC=com - (No such Base DN:
CN=Deleted Objects,DC=ForestDnsZones,DC=example,DC=com)
Not removing dangling forward link
Fix isDeleted originating_change_time on 'CN=Deleted
Objects,DC=example,DC=com' [YES]
Checked 944 objects (3 errors)

-- 
Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list