Andrew Bartlett
2024-Apr-13 08:37 UTC
[Samba] Upgrade to 4.20: Not resetting nTSecurityDescriptor
On Fri, 2024-04-12 at 08:03 +0200, Daniel M?ller via samba wrote:> Hello to all, > > After updating to samba 4.20 (from samba 4.19) on Debian 11, samba-tool > dbcheck --cross-ncs > results in: > samba-tool dbcheck --cross-ncs > Checking 4499 objects > Not resetting nTSecurityDescriptor on CN=Deleted > Objects,CN=Configuration,DC=tlk,DC=loc > Not resetting nTSecurityDescriptor on CN=Deleted > Objects,DC=DomainDnsZones,DC=tlk,DC=loc > Not resetting nTSecurityDescriptor on CN=Deleted > Objects,DC=ForestDnsZones,DC=tlk,DC=loc > Not resetting nTSecurityDescriptor on CN=Deleted Objects,DC=tlk,DC=loc > > Checked 4499 objects (4 errors) > Please use 'samba-tool dbcheck --fix' to fix 4 errors > > Do I have to perform samba-tool dbcheck --fix, though this server is the > second and the master still is running samba 4.19!?Yes, you can reset this SD. ?I've checked the code and we only improved dbcheck, we didn't make a matching change to the C code.? Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Daniel Müller
2024-Apr-15 05:53 UTC
[Samba] Upgrade to 4.20: Not resetting nTSecurityDescriptor
I did it:
root at dom2:~# samba-tool dbcheck --fix
Checking 705 objects
Reset nTSecurityDescriptor on CN=Deleted Objects,DC=tlk,DC=loc back to provision
default?
Owner mismatch: SY (in ref) DA(in current)
Group mismatch: SY (in ref) DA(in current)
Part dacl is different between reference and current here is the detail:
(A;;LCRPLORC;;;AU) ACE is not present in the reference
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the r
eference
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the r
eference
(A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
(A;;LCRP;;;BA) ACE is not present in the current
[y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted
Objects,DC=tlk,DC=loc'
Checked 705 objects (1 errors)
root at dom2:~# samba-tool dbcheck --cross-ncs
Checking 4506 objects
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,CN=Configuration,DC=tlk,DC=loc
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,DC=DomainDnsZones,DC=tlk,DC=loc
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,DC=ForestDnsZones,DC=tlk,DC=loc
Checked 4506 objects (3 errors)
Please use 'samba-tool dbcheck --fix' to fix 3 errors
root at dom2:~# samba-tool dbcheck --fix
Checking 705 objects
Checked 705 objects (0 errors)
But the next "samba-tool dbcheck --cross-ncs" shows the same three
errors again!?
Greetings
Daniel
Von: Andrew Bartlett [mailto:abartlet at samba.org]
Gesendet: Samstag, 13. April 2024 10:38
An: mueller at tropenklinik.de; samba samba <samba at lists.samba.org>
Betreff: Re: [Samba] Upgrade to 4.20: Not resetting nTSecurityDescriptor
On Fri, 2024-04-12 at 08:03 +0200, Daniel M?ller via samba wrote:
Hello to all,
After updating to samba 4.20 (from samba 4.19) on Debian 11, samba-tool
dbcheck --cross-ncs
results in:
samba-tool dbcheck --cross-ncs
Checking 4499 objects
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,CN=Configuration,DC=tlk,DC=loc
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,DC=DomainDnsZones,DC=tlk,DC=loc
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,DC=ForestDnsZones,DC=tlk,DC=loc
Not resetting nTSecurityDescriptor on CN=Deleted Objects,DC=tlk,DC=loc
Checked 4499 objects (4 errors)
Please use 'samba-tool dbcheck --fix' to fix 4 errors
Do I have to perform samba-tool dbcheck --fix, though this server is the
second and the master still is running samba 4.19!?
Yes, you can reset this SD. I've checked the code and we only improved
dbcheck, we didn't make a matching change to the C code.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba