[Samba] [SOLVED] Re: Problem switching to BIND9_DLZ
Rowland Penny
rowlandpenny241155 at gmail.com
Fri Nov 13 09:38:28 UTC 2015
On 13/11/15 07:00, Achim Gottinger wrote:
>
>
> Am 13.11.2015 um 07:11 schrieb Achim Gottinger:
>> Hi,
>>
>> I try to switch from internal DNS to bind9 on an samba-ad-dc (sernet
>> 4.1.23 on debian wheezy).
>> I try to run
>>
>> samba_upgradedns --dns-backend=BIND9_DLZ
>>
>> and get an python error pointing to
>> /usr/lib/python2.7/dist-packages/samba/provision/__init__.py line 271
>>
>> Reading domain information
>> Traceback (most recent call last):
>> File "/usr/sbin/samba_upgradedns", line 261, in <module>
>> paths, lp.configfile, lp)
>> File
>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
>> 271, in find_provision_key_parameters
>> names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")
>> IndexError: list index out of range
>>
>>
>> That is the names.policyid line in below snippet
>>
>> -----------------------------------
>> res7 = samdb.search(expression="(displayName=Default Domain
>> Policy)",
>> base="CN=Policies,CN=System," + basedn,
>> scope=ldb.SCOPE_ONELEVEL,
>> attrs=["cn","displayName"])
>> names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")
The problem is the way the search is being carried out, It is taken from
'find_provision_key_parameters' and it expects that the policy is named
'Default Domain Policy', this is something that can be changed. If the
policy name is changed, the search will fail (silently) and then when it
tries to set 'names.policyid' it then complains.
The search would probably be better something like this:
res7 =
samdb.search(expression="(name={31B2F340-016D-11D2-945F-00C04FB984F9})",
base="CN=Policies,CN=System," + basedn,
scope=ldb.SCOPE_ONELEVEL,
attrs=["cn","displayName"])
names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")
which is the same as:
ldbsearch -H /usr/local/samba/private/sam.ldb -b
"cn=Policies,cn=System,dc=samdom,dc=example,dc=com" -s one
'(name={31B2F340-016D-11D2-945F-00C04FB984F9})' cn displayName
which returns:
# record 1
dn:
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=example,DC=com
cn: {31B2F340-016D-11D2-945F-00C04FB984F9}
displayName: Default Domain Policy
Rowland
>> # dc policy guid
>> res8 = samdb.search(expression="(displayName=Default Domain
>> Controllers Policy)",
>> base="CN=Policies,CN=System," + basedn,
>> scope=ldb.SCOPE_ONELEVEL,
>> attrs=["cn","displayName"])
>> if len(res8) == 1:
>> names.policyid_dc =
>> str(res8[0]["cn"]).replace("{","").replace("}","")
>> else:
>> names.policyid_dc = None
>> -----------------------------------
>>
>> When I compare the branch in question System.Policies.[basedn] with
>> another server which migrated fine using above comman i find
>> these entries on the working server with the correct displayName:
>>
>> CN={31B2F340-016D-11D2-945F-00C04FB984F9} -> displayName=Default
>> Domain Policy
>> CN={6AC1786C-016F-11D2-945F-00C04FB984F9} -> displayName=Default
>> Domain Controllers Policy
>>
>> On the server with the migration failing i find entries with the same
>> id's but different displayName values.
>>
>> CN={31B2F340-016D-11D2-945F-00C04FB984F9} -> displayName=[my domain
>> name]
>> CN={6AC1786C-016F-11D2-945F-00C04FB984F9} -> displayName=domain
>>
>> Looking into GPO management it seems i renamed these two policies a
>> while ago. There are no GPO related issues here with them renamed.
>> I wonder if it is safe to use None for names.policyid as well like it
>> is used for names.policyid_dc if not found.
>>
>> if len(res7) == 1:
>> names.policyid =
>> str(res7[0]["cn"]).replace("{","").replace("}","")
>> else:
>> names.policyid = None
>>
>> Server is in production so i ask here before testing (of course after
>> an snapshot of that vm).
>>
>> Thanks in advance
>> achim~
> I circumvented the issue by renaming the GPO to "Default Domain
> Policy" run the script and rename the GPO back.
>
>
More information about the samba
mailing list