upgradeprovision --full fails to find CN=NTDS Settings

Matthieu Patou mat at samba.org
Sun Dec 18 09:12:51 MST 2011 

Hi Micheal,

On 18/12/2011 13:42, Michael Wood wrote:
> On 17 December 2011 12:39, Michael Wood<esiotrot at gmail.com>  wrote:
>> Hi
>>
>> I'm trying to upgrade an old installation of Samba 4 from
>> 4.0.0alpha12-GIT-77b9b97 to 4.0.0alpha18-GIT-35605fa.
>>
>> The build works fine.
>>
>> samba-tool dbcheck --fix finds and fixes a bunch of things.
> The vast majority of the fixes are like this:
>
> ERROR: missing GUID component for objectCategory in object
> CN=System,DC=example,DC=com -
> CN=Container,CN=Schema,CN=Configuration,DC=example,DC=com
> Change DN to<GUID=47288117-6896-4151-b2af-4921180a3ccf>;CN=Container,CN=Schema,CN=Configuration,DC=example,DC=com?
> [YES]
> Fixed missing GUID on attribute objectCategory
>
> and it ends like this:
>
> ERROR: dsServiceName not in GUID form in @ROOTDSE
> Change dsServiceName to GUID form? [y/N] y
> Changed dsServiceName to GUID form
> Checked 870 objects (226 errors)
>
> If I run it again immediately I get this:
>
> # samba-tool dbcheck --fix
> Checking 870 objects
> Fix isDeleted originating_change_time on 'CN=Deleted
> Objects,DC=example,DC=com' [y/N/all/none] y
> Checked 870 objects (1 errors)
> # samba-tool dbcheck --fix
> Checking 870 objects
> Fix isDeleted originating_change_time on 'CN=Deleted
> Objects,DC=example,DC=com' [y/N/all/none] y
> Checked 870 objects (1 errors)
>
> So although it asks if I want to fix that error, it can't seem to do it.
>
> And with -d10:
>
> # samba-tool dbcheck --fix --yes -d10
> INFO: Current debug levels:
> [...]
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> params.c:pm_process() - Processing configuration file
> "/usr/local/samba/etc/smb.conf"
> Processing section "[globals]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> Security token SIDs (1):
>    SID[  0]: S-1-5-18
>   Privileges (0xFFFFFFFFFFFFFFFF):
> [...]
>   Rights (0x               0):
> lpcfg_servicenumber: couldn't find ldb
> schema_fsmo_init: we are master[yes] updates allowed[no]
> Checking 870 objects
> Fix isDeleted originating_change_time on 'CN=Deleted
> Objects,DC=example,DC=com' [YES]
> ldb:acl_modify: isDeleted
> Sorting rpmd with attid exception 3 rDN=CN DN=CN=Deleted
> Objects,DC=example,DC=com
> Checked 870 objects (1 errors)
>
>> upgradeprovision completes without complaint.
> This is what it actually says:
>
> # upgradeprovision
> Creating a reference provision
> No IPv6 address will be assigned
> Copy privilege
> Update base samdb by searching difference with reference one
> You still have the old DNS object for managing dynamic DNS, but you
> didn't supply --full so a correct update can't be done
>
> so no errors, but I'm not sure if it did anything.
>
>> But upgradeprovision --full fails as follows (with some debug print
>> statements added just before the failure):
>>
>> Creating a reference provision
>> No IPv6 address will be assigned
>> Copy privilege
>> Update base samdb by searching difference with reference one
>> Starting update of samdb
>> There are 76 missing objects
>> Reloading a merged schema, which might trigger reindexing so please be patient
>> Schema reloaded!
>> dn= CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>> basedn= DC=example,DC=com
>> attrs= msDS-hasMasterNCs
>> res.count == 0
>> Exception during upgrade of samdb:
>> Traceback (most recent call last):
>>   File "/usr/local/samba/sbin/upgradeprovision", line 1205, in update_partition
>>     provisionUSNs)
>>   File "/usr/local/samba/sbin/upgradeprovision", line 1080, in update_present
>>     basedn, usns, samdb)
>>   File "/usr/local/samba/sbin/upgradeprovision", line 904, in
>> checkKeepAttributeWithMetadata
>>     curval, refval, delta)
>>   File "/usr/local/samba/sbin/upgradeprovision", line 788, in handle_links
>>     for e in res[0][att]:
>> IndexError: list index out of range
>> Update failed
>> Rolling back all changes. Check the cause of the problem
>> Your system is as it was before the upgrade
>>
>> So it seems that this search for CN=NTDS Settings returns nothing:
>>
>>     res = samdb.search(expression="dn=%s" % dn, base=basedn,
>>                         controls=["search_options:1:2", "reveal:1"],
>>                         attrs=[att])
>>
>> The strange thing is that if I do the same search from the command
>> line it works fine:
>>
>> # ldbsearch -H private/sam.ldb --controls="search_options:1:2
>> reveal:1" "dn=CN=NTDS
>> Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com"
>> msDS-hasMasterNCs
>> # record 1
>> dn: CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>> msDS-hasMasterNCs: CN=Configuration,DC=example,DC=com
>> msDS-hasMasterNCs: CN=Schema,CN=Configuration,DC=example,DC=com
>> msDS-hasMasterNCs: DC=example,DC=com
> With the following workaround upgradeprovision --full completes, but
> obviously hasn't fixed everything it should have:
>
> --- a/sbin/upgradeprovision
> +++ b/sbin/upgradeprovision
> @@ -886,7 +886,7 @@ def checkKeepAttributeWithMetadata(delta, att, message, refe
>       dn = current[0].dn
>
>       for att in list(delta):
> -        if att in ["dn", "objectSid"]:
> +        if att in ["dn", "objectSid", "msDS-hasMasterNCs"]:
>               delta.remove(att)
>               continue
>
> # upgradeprovision --full
> Creating a reference provision
> No IPv6 address will be assigned
> Copy privilege
> Update base samdb by searching difference with reference one
> Starting update of samdb
> There are 76 missing objects
> Reloading a merged schema, which might trigger reindexing so please be patient
> Schema reloaded!
> There are 7 changed objects
> Update of samdb finished
> Update of secrets.ldb
> IMPORTANT!!! If you were using Dynamic DNS before you need to update
> your configuration, so that the tkey-gssapi-credential has the
> following value: DNS/samba.example.com
> Update machine account
> Some defaultSecurityDescriptors and/orsecurityDescriptor have changed,
> recalculating SD
> Unable to set ACLs on policies related objects: an integer is required
> Upgrade finished!
> Reopenning samdb to trigger reindexing if needed after modification
> Reindexing finished
>
> Also, the message about not being able to set ACLs on policies related
> to objects looks like it might be a problem.
>
> Running dbcheck again after the upgradeprovision finds a bunch more GUID errors:
>
> # samba-tool dbcheck --fix --yes
> Checking 944 objects
> ERROR: incorrect GUID component for objectCategory in object
> DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
> -<GUID=aae56a27-1de9-4188-afff-3a05b57aef73>;CN=Dns-Node,CN=Schema,CN=Configuration,DC=example,DC=com
> Change DN to<GUID=cad206ef-f29f-4d88-8822-4b30cf4aef1b>;CN=Dns-Node,CN=Schema,CN=Configuration,DC=example,DC=com?
> [YES]
> Fixed incorrect GUID on attribute objectCategory
> [...]
> Checked 944 objects (83 errors)
>
> And re-running dbcheck immediately finds another 2 errors (in addition
> to the one from before) that it doesn't fix:
>
> # samba-tool dbcheck --fix --yes
> Checking 944 objects
> ERROR: missing GUID component for wellKnownObjects in object
> DC=DomainDnsZones,DC=example,DC=com -
> B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted
> Objects,DC=DomainDnsZones,DC=example,DC=com
> unable to find object for DN CN=Deleted
> Objects,DC=DomainDnsZones,DC=example,DC=com - (No such Base DN:
> CN=Deleted Objects,DC=DomainDnsZones,DC=example,DC=com)
> Not removing dangling forward link
> ERROR: missing GUID component for wellKnownObjects in object
> DC=ForestDnsZones,DC=example,DC=com -
> B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted
> Objects,DC=ForestDnsZones,DC=example,DC=com
> unable to find object for DN CN=Deleted
> Objects,DC=ForestDnsZones,DC=example,DC=com - (No such Base DN:
> CN=Deleted Objects,DC=ForestDnsZones,DC=example,DC=com)
> Not removing dangling forward link
> Fix isDeleted originating_change_time on 'CN=Deleted
> Objects,DC=example,DC=com' [YES]
> Checked 944 objects (3 errors)
>
Please file me a bug and try to ping me within a week on this subject I 
have to take a deep look on this subject ...

-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba-technical mailing list