Pekka L.J. Jalkanen
2013-Feb-26 11:36 UTC
[Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Sat, 2013-02-16 Andrew Bartlett wrote:> On Sat, 2013-02-16 at 12:55 +1100, Andrew Bartlett wrote: >> On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote: >> > On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote: >> > > Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 >> > > (but do nothing after make install)? If it will make things worse in any >> > > way, I can stay at 4.0.0. Thanks, Thomas. >> > >> > It's fine to upgrade. That protects you against the security issue we >> > fixed in 4.0.1, and makes a significant number of other fixes. >> >> My current testing shows that: >> >> samba_upgradeprovision --full >> dbcheck --cross-ncs [--fix [--yes]] >> >> Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own >> LDAP object. The --full is important, without that the result is >> actually worse (as far as I can tell). >> >> I would like to make some progress on this before I recommend it as the >> final solution. >> >> It is however pretty close, and better than what is in the database >> right now. > > I retract any advise to run this tool. I hope to have patches soon, but > for the moment it treats any beta or release version as being *before* > alpha9. Essentially we have been caught out by a regex that never > expected Samba to move beyond endless alphas :-) > > Please do not run samba_upgradeprovision under any circumstances, until > I have tested patches to fix this.Since the discussion on samba-technical gave somehow mixed recommendations about whether it should be run or not, I had attempted to run it anyway, when I upgraded my installation from 4.0.0 to 4.0.3. I figured out that as I'm having some problems with my group policies anyway, and am not generally using them, it shouldn't hurt too much. (Back then, I had missed this thread, as I had mistakenly only followed the samba-technical list.) Here are my experiences: First, the command failed with python errors because I don't run DNS in my AD, and as such didn't have DnsAdmins group. I then went on to create the said group. Second, it asked me to run the following command, and then re-run it: "ldbadd -H /usr/local/samba/private/sam.ldb /tmp/usnprovTuWu85dif" I ran it. Don't know exactly what it did, but I didn't get any errors. Third, it finally didn't run at all, as it stated that multiple DC setups aren't supported. This wasn't stated anywhere in advance. The command doesn't have a manpage, and "--help" switch doesn't give any clue what the command is actually supposed to do. So in the end I didn't run it at all, as it can only be run in single DC setups. But I did run the ldbadd command, and don't know how serious mistake that was. Afterwards, I tried to run "samba-tool dbcheck --cross-ncs --fix", and unlike in 4.0.0, it didn't manage to fix everything: Checking 3378 objects ERROR: wrong instanceType 0 on CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site, should be 4 Change instanceType from 0 to 4 on CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site? [y/N/all/none] all Failed to correct missing instanceType on CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65, "objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site' wasn't specified!") ERROR: wrong instanceType 0 on CN=RID Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site, should be 4 Change instanceType from 0 to 4 on CN=RID Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site? [YES] Failed to correct missing instanceType on CN=RID Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65, "objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site' wasn't specified!") Checked 3378 objects (0 errors) Don't know if I should be worried about these errors, though, or whether they have anything to do with my mistaken ldbadd command. Pekka L.J. Jalkanen
Andrew Bartlett
2013-Feb-26 21:53 UTC
[Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Tue, 2013-02-26 at 13:36 +0200, Pekka L.J. Jalkanen wrote:> On Sat, 2013-02-16 Andrew Bartlett wrote: > > On Sat, 2013-02-16 at 12:55 +1100, Andrew Bartlett wrote: > >> On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote: > >> > On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote: > >> > > Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 > >> > > (but do nothing after make install)? If it will make things worse in any > >> > > way, I can stay at 4.0.0. Thanks, Thomas. > >> > > >> > It's fine to upgrade. That protects you against the security issue we > >> > fixed in 4.0.1, and makes a significant number of other fixes. > >> > >> My current testing shows that: > >> > >> samba_upgradeprovision --full > >> dbcheck --cross-ncs [--fix [--yes]] > >> > >> Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own > >> LDAP object. The --full is important, without that the result is > >> actually worse (as far as I can tell). > >> > >> I would like to make some progress on this before I recommend it as the > >> final solution. > >> > >> It is however pretty close, and better than what is in the database > >> right now. > > > > I retract any advise to run this tool. I hope to have patches soon, but > > for the moment it treats any beta or release version as being *before* > > alpha9. Essentially we have been caught out by a regex that never > > expected Samba to move beyond endless alphas :-) > > > > Please do not run samba_upgradeprovision under any circumstances, until > > I have tested patches to fix this. > > Since the discussion on samba-technical gave somehow mixed > recommendations about whether it should be run or not, I had attempted > to run it anyway, when I upgraded my installation from 4.0.0 to 4.0.3.NO! At this point I've tried to be very clear, and I'm not sure what part of what I've said above was not clear. Who suggested you should run this tool?> I > figured out that as I'm having some problems with my group policies > anyway, and am not generally using them, it shouldn't hurt too much. > (Back then, I had missed this thread, as I had mistakenly only followed > the samba-technical list.) > > Here are my experiences: > > First, the command failed with python errors because I don't run DNS in > my AD, and as such didn't have DnsAdmins group. I then went on to create > the said group. > > Second, it asked me to run the following command, and then re-run it: > "ldbadd -H /usr/local/samba/private/sam.ldb /tmp/usnprovTuWu85dif" > > I ran it. Don't know exactly what it did, but I didn't get any errors. > > Third, it finally didn't run at all, as it stated that multiple DC > setups aren't supported. This wasn't stated anywhere in advance. The > command doesn't have a manpage, and "--help" switch doesn't give any > clue what the command is actually supposed to do.This is an extra safety check we added. But the lack of clear documentation on this is one of the many reasons why I'm now of a mind to remove this tool until it meets these and many other standards.> So in the end I didn't run it at all, as it can only be run in single DC > setups. But I did run the ldbadd command, and don't know how serious > mistake that was. > > Afterwards, I tried to run "samba-tool dbcheck --cross-ncs --fix", and > unlike in 4.0.0, it didn't manage to fix everything: > > Checking 3378 objects > ERROR: wrong instanceType 0 on CN=RID Set,CN=W2K3DC,OU=Domain > Controllers,DC=mydomain,DC=site, should be 4 > Change instanceType from 0 to 4 on CN=RID Set,CN=W2K3DC,OU=Domain > Controllers,DC=mydomain,DC=site? [y/N/all/none] all > Failed to correct missing instanceType on CN=RID Set,CN=W2K3DC,OU=Domain > Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65, > "objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on > entry 'CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site' > wasn't specified!") > ERROR: wrong instanceType 0 on CN=RID Set,CN=SAMBA4DC,OU=Domain > Controllers,DC=mydomain,DC=site, should be 4 > Change instanceType from 0 to 4 on CN=RID Set,CN=SAMBA4DC,OU=Domain > Controllers,DC=mydomain,DC=site? [YES] > Failed to correct missing instanceType on CN=RID > Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site by setting > instanceType=4 : (65, "objectclass_attrs: at least one mandatory > attribute ('rIDNextRID') on entry 'CN=RID Set,CN=SAMBA4DC,OU=Domain > Controllers,DC=mydomain,DC=site' wasn't specified!") > Checked 3378 objects (0 errors)This is a concern, and looks like it was initially due to an incorrect implementation of the instanceType check in the dbcheck shipped with 4.0.0, after your domain was imported from a Windows 2000 level domain. Can you give me some more detail on this history of this domain? It is more of a worry that it can't fix it - but this might be due to us missing some special case logic that needs to be applied around the Rid Set objects.> Don't know if I should be worried about these errors, though, or whether > they have anything to do with my mistaken ldbadd command.Your ldbadd command probably just made it more difficult to ever run samba_upgradeprovision in the future. It doesn't change the actual data, just some metadata notes in a special area outside the directory. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org