upgradeprovision --full fails to find CN=NTDS Settings

Michael Wood esiotrot at gmail.com
Thu Jan 5 04:04:47 MST 2012


Hi

On 5 January 2012 09:26, Matthieu Patou <mat at samba.org> wrote:
> On 03/01/2012 14:40, Michael Wood wrote:
>>
>> There are now only a couple of issues left as far as I can see.  If I
>> run "upgradeprovision --full" again, it says "There are 2 missing
>> objects".  I assume that should not be the case?
>>
>> Creating a reference provision
>> No IPv6 address will be assigned
>> Copy privilege
>> Update base samdb by searching difference with reference one
>> Starting update of samdb
>> There are 2 missing objects
>
> What --debugall says about this objects ?

The full debug output is quite long, so I've attached it to the bug report.

Here are the objects it's complaining about:

There are 2 missing objects
Object CN=e83daa04-ca41-468f-9c69-4d08cae983e3,CN=Partitions,CN=Configuration,DC=example,DC=com
will be added
Object CN=ecce2cac-d76f-408a-8bf8-067d32debecd,CN=Partitions,CN=Configuration,DC=example,DC=com
will be added
Not applying delta to @ATTRIBUTES because there is not only add

Later it says:

Some defaultSecurityDescriptors and/orsecurityDescriptor have changed,
recalculating SD
72 DNs have been marked as needed to be recalculated, recalculating 72
due to inheritance
Checking recalculated SDs
On object CN=e83daa04-ca41-468f-9c69-4d08cae983e3,CN=Partitions,CN=Configuration,DC=example,DC=com
ACL is different
	Owner mismatch: EA (in ref) SY(in current)
	Group mismatch: DU (in ref) SY(in current)

On object CN=ecce2cac-d76f-408a-8bf8-067d32debecd,CN=Partitions,CN=Configuration,DC=example,DC=com
ACL is different
	Owner mismatch: EA (in ref) SY(in current)
	Group mismatch: DU (in ref) SY(in current)

On object DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
ACL is different
	Owner mismatch: LA (in ref) DA(in current)
	Part dacl is different between reference and current here is the detail:
		(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;LA) ACE is not present in the current
		(A;CIID;RPWPCRCCDCLCRCWOWDSDDTSW;;;S-1-5-21-1669749161-1492036150-3562756080-1102)
ACE is not present in the current
		(A;CIID;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED) ACE is not present in the current
[...]

I see no other mention of those objects in the debug output.

>> Also, samba-tool dbcheck complains about the following two things it can't
>> fix:
>>
>> ERROR: missing GUID component for wellKnownObjects in object
>> DC=DomainDnsZones,DC=example,DC=com -
>> B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted
>> Objects,DC=DomainDnsZones,DC=example,DC=com
>> unable to find object for DN CN=Deleted
>> Objects,DC=DomainDnsZones,DC=example,DC=com - (No such Base DN:
>> CN=Deleted Objects,DC=DomainDnsZones,DC=example,DC=com)
>> Not removing dangling forward link
>> ERROR: missing GUID component for wellKnownObjects in object
>> DC=ForestDnsZones,DC=example,DC=com -
>> B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted
>> Objects,DC=ForestDnsZones,DC=example,DC=com
>> unable to find object for DN CN=Deleted
>> Objects,DC=ForestDnsZones,DC=example,DC=com - (No such Base DN:
>> CN=Deleted Objects,DC=ForestDnsZones,DC=example,DC=com)
>> Not removing dangling forward link
>>
>> Should upgradeprovision have created those Base DNs?  Are these
>> perhaps the two "missing objects" that upgradeprovision mentions when
>> it runs?
>
> It's because the code for upgradeprovision is not complete yet to correctly
> cope with missing partitions

OK thanks.

-- 
Michael Wood <esiotrot at gmail.com>


More information about the samba-technical mailing list