Recommended Upgrade technique for 4.0.3 (was Re: [Samba] Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)

[Andrew Bartlett]

On Thu, 2013-02-14 at 18:51 -0500, Thomas Simmons wrote:
> Hello,
> 
> Is it necessary or recommended to run 'samba-tool dbcheck --cross-ncs
> --fix' and 'samba-tool ntacl sysvolreset' when upgrading from 4.0.0 to
> 4.0.3?

We are still trying to work out the safest upgrade path.  In the short
term, you don't need to do either, but to get the ACLs fixed, then
eventually a dbcheck run will be required.

We have hesitated to recommend this, as it may make it a little harder
for us to have our 'samba_upgradeprovision' tool automatically correct
some of the nTSecurityDescriptor values.  (We had the wrong values in
the provision template).  

The issue is that, frankly, the samba_upgradeprovision tool is an
incredibly big hammer, is internally complex and finally it isn't
working correctly in my tests.  When run in --full mode, it does some
complex manipulations to tell the difference between what a new
provision would do, and what you have in the old one, and merge the
difference.  This is particularly hard to do for security descriptors. 

The alternative I'm leaning to is the simpler approach of a reset tool,
that will reset some key security descriptors, and require the
administrator to reinstate any specific changes they actually want. 

In summary, I don't have a recommended technique yet, but we hope to get
one soon.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org