Moving from beta/test environment to production

Dieter Modig dieter.m at inputinterior.se
Wed Jan 2 02:46:29 MST 2013


Hi! 

I hope you all got a well deserved rest during the holidays! :) 

We decided this would be a good time to upgrade to the official Samba4 release. Everything but GPOs seem to be working after the upgrade. We don't see any difference in the behaviour :( Can't create new GPO but can edit the existing ones. Attempt to create a GPO with samba-tool gave the following error "ERROR(runtime): uncaught exception - (-1073741565, 'NT_STATUS_NOT_A_DIRECTORY')". 

We gathered from previous responses to this thread that attempting to get another DC as master was not likely to succeed. Is there any way to revert to default with policies and get a fresh start? We can export the GPO:s we have today and then scrap them all and reset all permissions on files and database. Would that be a viable solution? 

Regards, 
/Dieter 

----- Ursprungligt meddelande -----

> Från: "Andrew Bartlett" <abartlet at samba.org>
> Till: "Dieter Modig" <dieter.m at inputinterior.se>
> Kopia: samba-technical at lists.samba.org
> Skickat: tisdag, 18 dec 2012 9:31:25
> Ämne: Re: Moving from beta/test environment to production

> On Tue, 2012-12-18 at 09:18 +0100, Dieter Modig wrote:
> > Hi!
> >
> > Now that samba4 is officially here we're tried a clean install and
> > the installation is very nice! Smooth and helpful all the way.
> > Good job!
> >
> > The next step for us (considering our broken GPOs) would be to
> > somehow move over to a new nice production environment with a
> > moderate amount of work and we wanted your opinion on how to get
> > there. There seems to be two ways to reach the finish line on
> > this;
> > 1. Set up a newly installed fresh machine as member server and move
> > master functionality to that one and then kill off the
> > beta/test-machine or
> > 2. Export/backup the database (users and computers only) and then
> > treat everything like disaster recovery on to a new installation
> > with the same domain name and then rebuild the GPOs (they can be
> > fairly easily exported/imported)
> >
> > What would you guys recommend at this stage and is it at all
> > possible without messing everyting up more? Secret option number 3
> > would be to do a complete overhaul and rebuild the entire domain
> > from scratch but that just doesn't sound like much fun :)
> >
> > We actually have _not_ tried to upgrade our rc4 to the official
> > version but since none of the upgrades have fixed the GPO problem
> > so far we're not holding our breath on that one.

> GPOs should be fixed in the final release, we got that working in rc5
> (from memory). Some of the issues/failures were actually pretty
> simple
> but devastating in how they broke GPOs.

> Upgrading (keep a backup) your rc4 to the official version, and
> setting
> 'acl:search=false' is probably the most practical option at this
> point.

> (This option is required because an domain prior to the 4.0.0 release
> has some incorrect ACLs, and if we honour those for reads, some
> things
> break. A tool to fix those will be available soon, but in the
> meantime
> we just allow all users to read all non-confidential attributes).

> I don't suggest trying to set up a second server, and transfer roles,
> because that process has shown itself to be less reliable than just
> upgrading in place. It certainly should work, but I think in-place
> will
> just be better for you.

> You should probably have a good backup, and perhaps a second server
> anyway. See the source4/scripting/bin/samba_backup script.

> Andrew Bartlett

> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org


More information about the samba-technical mailing list