[Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Tue Feb 26 04:36:32 MST 2013 

On Sat, 2013-02-16 Andrew Bartlett wrote:
> On Sat, 2013-02-16 at 12:55 +1100, Andrew Bartlett wrote:
>> On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote:
>> > On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote:
>> > > Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3
>> > > (but do nothing after make install)? If it will make things worse in any
>> > > way, I can stay at 4.0.0. Thanks, Thomas.
>> > 
>> > It's fine to upgrade.  That protects you against the security issue we
>> > fixed in 4.0.1, and makes a significant number of other fixes.
>> 
>> My current testing shows that:
>> 
>> samba_upgradeprovision --full
>> dbcheck --cross-ncs [--fix [--yes]]
>> 
>> Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own
>> LDAP object.  The --full is important, without that the result is
>> actually worse (as far as I can tell).
>> 
>> I would like to make some progress on this before I recommend it as the
>> final solution.
>> 
>> It is however pretty close, and better than what is in the database
>> right now.  
> 
> I retract any advise to run this tool.  I hope to have patches soon, but
> for the moment it treats any beta or release version as being *before*
> alpha9.  Essentially we have been caught out by a regex that never
> expected Samba to move beyond endless alphas :-)
> 
> Please do not run samba_upgradeprovision under any circumstances, until
> I have tested patches to fix this. 

Since the discussion on samba-technical gave somehow mixed
recommendations about whether it should be run or not, I had attempted
to run it anyway, when I upgraded my installation from 4.0.0 to 4.0.3. I
figured out that as I'm having some problems with my group policies
anyway, and am not generally using them, it shouldn't hurt too much.
(Back then, I had missed this thread, as I had mistakenly only followed
the samba-technical list.)

Here are my experiences:

First, the command failed with python errors because I don't run DNS in
my AD, and as such didn't have DnsAdmins group. I then went on to create
the said group.

Second, it asked me to run the following command, and then re-run it:
"ldbadd -H /usr/local/samba/private/sam.ldb /tmp/usnprovTuWu85dif"

I ran it. Don't know exactly what it did, but I didn't get any errors.

Third, it finally didn't run at all, as it stated that multiple DC
setups aren't supported. This wasn't stated anywhere in advance. The
command doesn't have a manpage, and "--help" switch doesn't give any
clue what the command is actually supposed to do.

So in the end I didn't run it at all, as it can only be run in single DC
setups. But I did run the ldbadd command, and don't know how serious
mistake that was.

Afterwards, I tried to run "samba-tool dbcheck --cross-ncs --fix", and
unlike in 4.0.0, it didn't manage to fix everything:

Checking 3378 objects
ERROR: wrong instanceType 0 on CN=RID Set,CN=W2K3DC,OU=Domain
Controllers,DC=mydomain,DC=site, should be 4
Change instanceType from 0 to 4 on CN=RID Set,CN=W2K3DC,OU=Domain
Controllers,DC=mydomain,DC=site? [y/N/all/none] all
Failed to correct missing instanceType on CN=RID Set,CN=W2K3DC,OU=Domain
Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65,
"objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on
entry 'CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site'
wasn't specified!")
ERROR: wrong instanceType 0 on CN=RID Set,CN=SAMBA4DC,OU=Domain
Controllers,DC=mydomain,DC=site, should be 4
Change instanceType from 0 to 4 on CN=RID Set,CN=SAMBA4DC,OU=Domain
Controllers,DC=mydomain,DC=site? [YES]
Failed to correct missing instanceType on CN=RID
Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site by setting
instanceType=4 : (65, "objectclass_attrs: at least one mandatory
attribute ('rIDNextRID') on entry 'CN=RID Set,CN=SAMBA4DC,OU=Domain
Controllers,DC=mydomain,DC=site' wasn't specified!")
Checked 3378 objects (0 errors)

Don't know if I should be worried about these errors, though, or whether
they have anything to do with my mistaken ldbadd command.


Pekka L.J. Jalkanen

More information about the samba mailing list