Recommended Upgrade technique for 4.0.3 (was Re: [Samba] Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)

[Thomas Simmons]

Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3
(but do nothing after make install)? If it will make things worse in any
way, I can stay at 4.0.0. Thanks, Thomas.


On Thu, Feb 14, 2013 at 8:43 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Thu, 2013-02-14 at 18:51 -0500, Thomas Simmons wrote:
> > Hello,
> >
> > Is it necessary or recommended to run 'samba-tool dbcheck --cross-ncs
> > --fix' and 'samba-tool ntacl sysvolreset' when upgrading from 4.0.0 to
> > 4.0.3?
>
> We are still trying to work out the safest upgrade path.  In the short
> term, you don't need to do either, but to get the ACLs fixed, then
> eventually a dbcheck run will be required.
>
> We have hesitated to recommend this, as it may make it a little harder
> for us to have our 'samba_upgradeprovision' tool automatically correct
> some of the nTSecurityDescriptor values.  (We had the wrong values in
> the provision template).
>
> The issue is that, frankly, the samba_upgradeprovision tool is an
> incredibly big hammer, is internally complex and finally it isn't
> working correctly in my tests.  When run in --full mode, it does some
> complex manipulations to tell the difference between what a new
> provision would do, and what you have in the old one, and merge the
> difference.  This is particularly hard to do for security descriptors.
>
> The alternative I'm leaning to is the simpler approach of a reset tool,
> that will reset some key security descriptors, and require the
> administrator to reinstate any specific changes they actually want.
>
> In summary, I don't have a recommended technique yet, but we hope to get
> one soon.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>
>