[Samba] samba_upgradedns: No such Base DN

Rowland Penny rpenny at samba.org
Fri Nov 4 12:10:52 UTC 2022 


On 04/11/2022 11:53, Denis CARDON via samba wrote:
> Hi Lorenzo,
> 
> Le 03/11/2022 à 16:49, Lorenzo Milesi via samba a écrit :
>> I'm upgrading a 4.14 DC with a second node running 4.16.6.
>>
>> When trying to set up bind, I get the following error:
>>
>> # samba_upgradedns --dns-backend=BIND9_DLZ --realm=WDC.DOMAIN.IT
>> Reading domain information
>> Traceback (most recent call last):
>>    File "/usr/sbin/samba_upgradedns", line 292, in <module>
>>      names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, 
>> ldbs.idmap,
>>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
>> line 336, in find_provision_key_parameters
>>      dns_admins_sid = get_dnsadmins_sid(samdb, names.domaindn)
>>    File "/usr/lib/python3/dist-packages/samba/provision/sambadns.py", 
>> line 75, in get_dnsadmins_sid
>>      res = samdb.search(base=base_dn, scope=ldb.SCOPE_BASE, 
>> attrs=["objectSid"])
>> _ldb.LdbError: (32, 'No such Base DN: 
>> CN=DnsAdmins,OU=DOMusers,DC=wdc,DC=domain,DC=it')
>>
>> I guess this is because I ran "redirusr" to set the default OU? I see 
>> no option for samba_upgradedns to set a custom base DN...
>> How can I sort this out?
> 
> yes, this is a bug. I already had this once. DNSAdmins group is kind of 
> problematic because it doesn't have a well-known-sid [1], and it can be 
> moved around... So it is a mess.

Yes. I would tend to agree, it is a bug. It doesn't have a well know sid 
because it isn't a well known group with a defined RID, yet the search 
sort of treats it as if it is.

> 
> But since moving around this group is a bad idea, I'd say the scripts 
> should hardcode cn=users.

Why is it a bad idea to move DnsAdmins, as far as I can see, the group 
is just a group. In my opinion, the search should be changed to look 
everywhere for it and if it isn't found then create it in wherever 
'A9D1CA15768811D1ADED00C04FD8D5CD' points to.

> 
> For the time being, you can just redirusr to the default cn=users, do 
> the samba_upgradedns command, and then change it back.
> 

Rowland

More information about the samba mailing list