[Samba] samba_upgradeprovision and msDS-SupportedEncryptionTypes / msDS-NcType

Andrew Bartlett abartlet at samba.org
Fri Feb 22 14:48:50 MST 2013

On Fri, 2013-02-22 at 13:12 +0000, Dominic Evans wrote:
> On 22 February 2013 11:48, Andrew Bartlett <abartlet at samba.org> wrote:
> > Indeed, if the domain originally came from windows, then
> > upgradeprovision should NOT be run.  Indeed, I would have hoped that the
> > tool would detect this and would not attempt an upgrade, but clearly
> > this fails.
> Ah. It might be worth adding something in the release notes to make
> this clear. I imagine a lot of new Samba4 users have migrated from
> Windows Server DCs and similarly may not have realised that
> upgradeprovision isn't a generic version-to-version migration step.

We said:

- samba_upgradeprovision should not be run when upgrading to this
  from a recent release.  No important database format changes have
  been made since alpha16.

> > A backup was made before the upgradeprovision process, and I hope you
> > tool your own backup.  Please revert to one of these backups, file a bug
> > along these lines and do not use this tool until I can add more safety
> > checks.
> I did take my own backup beforehand. However, my domain does appear to
> be running perfectly fine at the moment. I've not had any issues from
> users. We did initially lose some manually added DNS entries, but
> these were easy to add back in. The rest of the DNS was re-populated
> by the computers themselves anyway. We don't really use the domain for
> anything much beyond allowing users to logon to any machine in the
> network with their individual username+password, and allowing
> Administrators full remote access to the machines as well. So I'm
> happy to just continue with it in the current state and see how it
> goes.

My current investigations indicate that this tool is NOT safe to use

I can't make any warranty about the continued operation of the domain in
these conditions.  It will be significantly easier to support you with
future issues if this is not part of your domain's history.

samba_upgradeprovision is an amazingly powerful tool, and it has been a
critical part of the support required to keep our earliest sites online
as Samba 4.0 matured though the early alpha releases.  We just need to
tame it to be a much more tested and targeted tool that makes much less
sweeping assumptions about what changes it should make, now that we know
the small number of changes that need to be made from Samba 4.0.0 (and
that domains imported from Windows are in fact already fully correct).  


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list