Possible regression in samba-tool provision

John Mulligan phlogistonjohn at asynchrono.us
Fri Mar 24 14:10:36 UTC 2023

Hi samba team,

One of our projects consumes container images based on nightly rpm builds of 
samba master. Over the last day or two one of our test jobs has been failing 
and I think it is due to recent changes.  This might only affect mit krb5 based 

When provisioning a domain we see a traceback like so:

INFO 2023-03-23 21:22:50,399 pid:6 /usr/lib64/python3.10/site-packages/samba/
provision/__init__.py #2021: Fixing provision GUIDs
ERROR(<class 'AttributeError'>): uncaught exception - 'DomainUpdate' object 
has no attribute 'upper'
  File "/usr/lib64/python3.10/site-packages/samba/netcmd/__init__.py", line 
230, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.10/site-packages/samba/netcmd/domain.py", line 555, 
in run
    result = provision(self.logger,
  File "/usr/lib64/python3.10/site-packages/samba/provision/__init__.py", line 
2408, in provision
    create_kdc_conf(paths.kdcconf, realm, domain, os.path.dirname(lp.get("log 
  File "/usr/lib64/python3.10/site-packages/samba/provision/kerberos.py", line 
43, in create_kdc_conf
    domain = domain.upper()
Temporarily overriding 'dsdb:schema update allowed' setting

This is followed by some other logging output but the overall command fails.

I tracked this down to change 4bba26579d124af6c0767bb98bee67357001e1e7 which 
adds some code to `python/samba/provision/__init__.py`. Part of the diff:

> +                try:
> +                    from samba.domain_update import DomainUpdate
> +
> +                    domain = DomainUpdate(samdb, fix=True)
> +                    domain.check_updates_functional_level(adprep_level,
> +                                                         
> DS_DOMAIN_FUNCTION_2008, +                                                 
>         update_revision=True) +
> +                    samdb.transaction_commit()
> +                except Exception as e:
> +                    samdb.transaction_cancel()
> +                    raise e

This block uses the variable domain that gets assigned a DomainUpdate object, 
but the lines below:

>          if not is_heimdal_built():
>              create_kdc_conf(paths.kdcconf, realm, domain,
>              os.path.dirname(lp.get("log file"))) logger.info("The Kerberos            
KDC configuration for Samba AD is "

pass domain to create_kdc_conf which expect the value in domain to be a 
string.  Skimming the code I think this block is the last to use domain 
variable, and the only one to use it after it gets reassigned to a 
DomainUpdate object, so it's probably only the mit krb5 build that will hit 
this error.
A fix might be to just rename `domain` variable in the new block or even remove 
it and chain the 
`DomainUpdate(...).domain.check_updates_functional_level(...)` together.

In the mean time, we think we may be able to work around this issue by using 
the `--adprep-level` option, but we are still investigating.

If you have any other questions, comments, or would prefer I report this to 
bugzilla please just ask.  Thanks!

--John M.

PS: As a python coder, the samdb transaction handling could be written in a 
neater way using a context manager. ;-) ;-)

More information about the samba-technical mailing list