Trying to understand upgradeprovision

Matthieu Patou mat at samba.org
Fri Feb 15 00:27:23 MST 2013 

On 02/13/2013 09:31 PM, Andrew Bartlett wrote:
> Matthieu,
>
> I've been adding tests to help me understand upgradeprovision, what it
> can do and what it can't do.
>
> The branch this mail is based on is here:
> https://git.samba.org/abartlet/samba.git/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/samba-tool-and-acls
>
> The issue I have is that I can't find any clear description of what
> --full does, and how we can safely use upgradeprovision to correct the
> ACLs that were incorrect in our 4.0.0 release.
Full will not only correct file location it will also generate a 
reference provision and add all the objects that are in the reference 
provision but not in the live one, it will also look at missing and 
changed attributes and add them (well not all because some shouldn't be 
copied but you get the idea).
> Is it the case that without --full, we only do things so clear that we
> should probably do them in dbcheck instead (and have upgradeprovision
> run dbcheck at the end?)
Well dbcheck should check the ... not a kitchen-sink
> I had been under the impression that the SD recalculation was done
> regardless, but when I run these commands:
>
> bin/samba-tool ldapcmp st/provision/alpha13_upgrade/private/sam.ldb
> st/provision/alpha13_upgrade_reference/private/sam.ldb --two domain
> schema --sd > /tmp/ldapcmp-upgrade_sd.txt
>
> bin/samba-tool ldapcmp st/provision/alpha13_upgrade_full/private/sam.ldb
> st/provision/alpha13_upgrade_reference/private/sam.ldb --two domain
> schema --sd > /tmp/ldapcmp-upgrade_full_sd.txt
>
> I see that the SDs are only fixed if we run with --full.  My concern is
> that this mode changes many, many other things about the database, and I
> would prefer to find a 'lighter touch' way to handle this.
Well the lighter way might be --fixdsacl
> Anyway, I include the output from those commands, in the hope that you
> can shed some light.  To reproduce, on my branch first run 'make test
> TESTS=alpha13' and the directories will be produced.
Well the results for the --full looks pretty good, just one object is 
not ok (maybe a bug ?)

Comparing:
'CN=ARES,OU=Domain Controllers,DC=alpha13,DC=samba,DC=corp' 
[st/provision/alpha13_upgrade_full/private/sam.ldb]
'CN=ARES,OU=Domain Controllers,DC=alpha13,DC=samba,DC=corp' 
[st/provision/alpha13_upgrade_reference/private/sam.ldb]
     ACEs found only in st/provision/alpha13_upgrade_full/private/sam.ldb:
         (OA;;SW;DNS-Host-Name-Attributes;;DA)
         (OA;;SW;DNS-Host-Name-Attributes;;PS)
     ACEs found only in 
st/provision/alpha13_upgrade_reference/private/sam.ldb:
         (OA;;SW;Validated-DNS-Host-Name;;DA)
         (OA;;SW;Validated-DNS-Host-Name;;PS)
     FAILED

Matthieu.

-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba-technical mailing list