On 13/11/15 07:00, Achim Gottinger wrote:> > > Am 13.11.2015 um 07:11 schrieb Achim Gottinger: >> Hi, >> >> I try to switch from internal DNS to bind9 on an samba-ad-dc (sernet >> 4.1.23 on debian wheezy). >> I try to run >> >> samba_upgradedns --dns-backend=BIND9_DLZ >> >> and get an python error pointing to >> /usr/lib/python2.7/dist-packages/samba/provision/__init__.py line 271 >> >> Reading domain information >> Traceback (most recent call last): >> File "/usr/sbin/samba_upgradedns", line 261, in <module> >> paths, lp.configfile, lp) >> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line >> 271, in find_provision_key_parameters >> names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","") >> IndexError: list index out of range >> >> >> That is the names.policyid line in below snippet >> >> ----------------------------------- >> res7 = samdb.search(expression="(displayName=Default Domain >> Policy)", >> base="CN=Policies,CN=System," + basedn, >> scope=ldb.SCOPE_ONELEVEL, >> attrs=["cn","displayName"]) >> names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","")The problem is the way the search is being carried out, It is taken from 'find_provision_key_parameters' and it expects that the policy is named 'Default Domain Policy', this is something that can be changed. If the policy name is changed, the search will fail (silently) and then when it tries to set 'names.policyid' it then complains. The search would probably be better something like this: res7 = samdb.search(expression="(name={31B2F340-016D-11D2-945F-00C04FB984F9})", base="CN=Policies,CN=System," + basedn, scope=ldb.SCOPE_ONELEVEL, attrs=["cn","displayName"]) names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","") which is the same as: ldbsearch -H /usr/local/samba/private/sam.ldb -b "cn=Policies,cn=System,dc=samdom,dc=example,dc=com" -s one '(name={31B2F340-016D-11D2-945F-00C04FB984F9})' cn displayName which returns: # record 1 dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=example,DC=com cn: {31B2F340-016D-11D2-945F-00C04FB984F9} displayName: Default Domain Policy Rowland>> # dc policy guid >> res8 = samdb.search(expression="(displayName=Default Domain >> Controllers Policy)", >> base="CN=Policies,CN=System," + basedn, >> scope=ldb.SCOPE_ONELEVEL, >> attrs=["cn","displayName"]) >> if len(res8) == 1: >> names.policyid_dc = >> str(res8[0]["cn"]).replace("{","").replace("}","") >> else: >> names.policyid_dc = None >> ----------------------------------- >> >> When I compare the branch in question System.Policies.[basedn] with >> another server which migrated fine using above comman i find >> these entries on the working server with the correct displayName: >> >> CN={31B2F340-016D-11D2-945F-00C04FB984F9} -> displayName=Default >> Domain Policy >> CN={6AC1786C-016F-11D2-945F-00C04FB984F9} -> displayName=Default >> Domain Controllers Policy >> >> On the server with the migration failing i find entries with the same >> id's but different displayName values. >> >> CN={31B2F340-016D-11D2-945F-00C04FB984F9} -> displayName=[my domain >> name] >> CN={6AC1786C-016F-11D2-945F-00C04FB984F9} -> displayName=domain >> >> Looking into GPO management it seems i renamed these two policies a >> while ago. There are no GPO related issues here with them renamed. >> I wonder if it is safe to use None for names.policyid as well like it >> is used for names.policyid_dc if not found. >> >> if len(res7) == 1: >> names.policyid = >> str(res7[0]["cn"]).replace("{","").replace("}","") >> else: >> names.policyid = None >> >> Server is in production so i ask here before testing (of course after >> an snapshot of that vm). >> >> Thanks in advance >> achim~ > I circumvented the issue by renaming the GPO to "Default Domain > Policy" run the script and rename the GPO back. > >
mourik jan heupink
2015-Nov-13 10:20 UTC
[Samba] [SOLVED] Re: Problem switching to BIND9_DLZ
Hi Rowland, Achim, list,> The search would probably be better something like this: > > res7 > samdb.search(expression="(name={31B2F340-016D-11D2-945F-00C04FB984F9})", > base="CN=Policies,CN=System," + basedn, > scope=ldb.SCOPE_ONELEVEL, > attrs=["cn","displayName"]) > names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","") > > which is the same as: > > ldbsearch -H /usr/local/samba/private/sam.ldb -b > "cn=Policies,cn=System,dc=samdom,dc=example,dc=com" -s one > '(name={31B2F340-016D-11D2-945F-00C04FB984F9})' cn displayName > > which returns: > > # record 1 > dn: > CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=example,DC=com > > cn: {31B2F340-016D-11D2-945F-00C04FB984F9} > displayName: Default Domain Policy > > RowlandYes, that is much better, and also is similar to the way windows searches for these policies: https://support.microsoft.com/en-us/kb/556025 MJ
On 13/11/15 10:20, mourik jan heupink wrote:> Hi Rowland, Achim, list, > >> The search would probably be better something like this: >> >> res7 >> samdb.search(expression="(name={31B2F340-016D-11D2-945F-00C04FB984F9})", >> base="CN=Policies,CN=System," + basedn, >> scope=ldb.SCOPE_ONELEVEL, >> attrs=["cn","displayName"]) >> names.policyid = str(res7[0]["cn"]).replace("{","").replace("}","") >> >> which is the same as: >> >> ldbsearch -H /usr/local/samba/private/sam.ldb -b >> "cn=Policies,cn=System,dc=samdom,dc=example,dc=com" -s one >> '(name={31B2F340-016D-11D2-945F-00C04FB984F9})' cn displayName >> >> which returns: >> >> # record 1 >> dn: >> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=example,DC=com >> >> >> cn: {31B2F340-016D-11D2-945F-00C04FB984F9} >> displayName: Default Domain Policy >> >> Rowland > > Yes, that is much better, and also is similar to the way windows > searches for these policies: > > https://support.microsoft.com/en-us/kb/556025 > > MJ >If Achim opens a bug report on this, I will propose a patch to fix it. Rowland