[Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)

Andrew Bartlett abartlet at samba.org
Fri Feb 15 18:55:57 MST 2013 

On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote:
> On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote:
> > Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3
> > (but do nothing after make install)? If it will make things worse in any
> > way, I can stay at 4.0.0. Thanks, Thomas.
> 
> It's fine to upgrade.  That protects you against the security issue we
> fixed in 4.0.1, and makes a significant number of other fixes.

My current testing shows that:

samba_upgradeprovision --full
dbcheck --cross-ncs [--fix [--yes]]

Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own
LDAP object.  The --full is important, without that the result is
actually worse (as far as I can tell).

I would like to make some progress on this before I recommend it as the
final solution.

It is however pretty close, and better than what is in the database
right now.  

These are the ldapcmp results:
Comparing:
'CN=ARES,OU=Domain
Controllers,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb]
'CN=ARES,OU=Domain
Controllers,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb]
    ACEs found only in
tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb:
        (OA;;SW;Validated-DNS-Host-Name;;DA)
        (OA;;SW;Validated-DNS-Host-Name;;PS)
    ACEs found only in
tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb:
        (OA;;SW;DNS-Host-Name-Attributes;;DA)
        (OA;;SW;DNS-Host-Name-Attributes;;PS)
    FAILED

* Result for [DOMAIN]: FAILURE


* Comparing [DNSDOMAIN] context...

* Objects to be compared: 39

Comparing:
'DC=release-4-0-0.samba.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb]
'DC=release-4-0-0.samba.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb]
    Difference in ACE count:
        => 27
        => 28
    ACEs found only in
tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb:
        (A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)
    ACEs found only in
tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb:
        (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;ED)
        (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;LA)
    FAILED


Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list