[Samba] samba_upgradedns: No such Base DN
Denis CARDON
dcardon at tranquil.it
Fri Nov 4 11:53:42 UTC 2022
Hi Lorenzo,
Le 03/11/2022 à 16:49, Lorenzo Milesi via samba a écrit :
> I'm upgrading a 4.14 DC with a second node running 4.16.6.
>
> When trying to set up bind, I get the following error:
>
> # samba_upgradedns --dns-backend=BIND9_DLZ --realm=WDC.DOMAIN.IT
> Reading domain information
> Traceback (most recent call last):
> File "/usr/sbin/samba_upgradedns", line 292, in <module>
> names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap,
> File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 336, in find_provision_key_parameters
> dns_admins_sid = get_dnsadmins_sid(samdb, names.domaindn)
> File "/usr/lib/python3/dist-packages/samba/provision/sambadns.py", line 75, in get_dnsadmins_sid
> res = samdb.search(base=base_dn, scope=ldb.SCOPE_BASE, attrs=["objectSid"])
> _ldb.LdbError: (32, 'No such Base DN: CN=DnsAdmins,OU=DOMusers,DC=wdc,DC=domain,DC=it')
>
> I guess this is because I ran "redirusr" to set the default OU? I see no option for samba_upgradedns to set a custom base DN...
> How can I sort this out?
yes, this is a bug. I already had this once. DNSAdmins group is kind of
problematic because it doesn't have a well-known-sid [1], and it can be
moved around... So it is a mess.
But since moving around this group is a bad idea, I'd say the scripts
should hardcode cn=users.
For the time being, you can just redirusr to the default cn=users, do
the samba_upgradedns command, and then change it back.
Cheers,
Denis
[1]
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#dnsadmins
>
> The main purpose of this change is that I don't want to mix system users with domain ones. What's the best practice in this case? Even if I place the OU inside the default one I'd still have the problem with upgradedns.
> thanks
More information about the samba
mailing list