samba - Feb 2013 - Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)

On Sat, 2013-02-16 Andrew Bartlett wrote:
> On Sat, 2013-02-16 at 12:55 +1100, Andrew Bartlett wrote:
>> On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote:
>> > On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote:
>> > > Thank you, Andrew. Just to be clear, you're saying I can
upgrade to 4.0.3
>> > > (but do nothing after make install)? If it will make things
worse in any
>> > > way, I can stay at 4.0.0. Thanks, Thomas.
>> > 
>> > It's fine to upgrade.  That protects you against the security
issue we
>> > fixed in 4.0.1, and makes a significant number of other fixes.
>> 
>> My current testing shows that:
>> 
>> samba_upgradeprovision --full
>> dbcheck --cross-ncs [--fix [--yes]]
>> 
>> Will break some ACLs on DNS, and not fix one of the ACLs on the
DC's own
>> LDAP object.  The --full is important, without that the result is
>> actually worse (as far as I can tell).
>> 
>> I would like to make some progress on this before I recommend it as the
>> final solution.
>> 
>> It is however pretty close, and better than what is in the database
>> right now.  
> 
> I retract any advise to run this tool.  I hope to have patches soon, but
> for the moment it treats any beta or release version as being *before*
> alpha9.  Essentially we have been caught out by a regex that never
> expected Samba to move beyond endless alphas :-)
> 
> Please do not run samba_upgradeprovision under any circumstances, until
> I have tested patches to fix this. 
Since the discussion on samba-technical gave somehow mixed
recommendations about whether it should be run or not, I had attempted
to run it anyway, when I upgraded my installation from 4.0.0 to 4.0.3. I
figured out that as I'm having some problems with my group policies
anyway, and am not generally using them, it shouldn't hurt too much.
(Back then, I had missed this thread, as I had mistakenly only followed
the samba-technical list.)

Here are my experiences:

First, the command failed with python errors because I don't run DNS in
my AD, and as such didn't have DnsAdmins group. I then went on to create
the said group.

Second, it asked me to run the following command, and then re-run it:
"ldbadd -H /usr/local/samba/private/sam.ldb /tmp/usnprovTuWu85dif"

I ran it. Don't know exactly what it did, but I didn't get any errors.

Third, it finally didn't run at all, as it stated that multiple DC
setups aren't supported. This wasn't stated anywhere in advance. The
command doesn't have a manpage, and "--help" switch doesn't
give any
clue what the command is actually supposed to do.

So in the end I didn't run it at all, as it can only be run in single DC
setups. But I did run the ldbadd command, and don't know how serious
mistake that was.

Afterwards, I tried to run "samba-tool dbcheck --cross-ncs --fix", and
unlike in 4.0.0, it didn't manage to fix everything:

Checking 3378 objects
ERROR: wrong instanceType 0 on CN=RID Set,CN=W2K3DC,OU=Domain
Controllers,DC=mydomain,DC=site, should be 4
Change instanceType from 0 to 4 on CN=RID Set,CN=W2K3DC,OU=Domain
Controllers,DC=mydomain,DC=site? [y/N/all/none] all
Failed to correct missing instanceType on CN=RID Set,CN=W2K3DC,OU=Domain
Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65,
"objectclass_attrs: at least one mandatory attribute ('rIDNextRID')
on
entry 'CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site'
wasn't specified!")
ERROR: wrong instanceType 0 on CN=RID Set,CN=SAMBA4DC,OU=Domain
Controllers,DC=mydomain,DC=site, should be 4
Change instanceType from 0 to 4 on CN=RID Set,CN=SAMBA4DC,OU=Domain
Controllers,DC=mydomain,DC=site? [YES]
Failed to correct missing instanceType on CN=RID
Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site by setting
instanceType=4 : (65, "objectclass_attrs: at least one mandatory
attribute ('rIDNextRID') on entry 'CN=RID Set,CN=SAMBA4DC,OU=Domain
Controllers,DC=mydomain,DC=site' wasn't specified!")
Checked 3378 objects (0 errors)

Don't know if I should be worried about these errors, though, or whether
they have anything to do with my mistaken ldbadd command.


Pekka L.J. Jalkanen

On Tue, 2013-02-26 at 13:36 +0200, Pekka L.J. Jalkanen
wrote:
> On Sat, 2013-02-16 Andrew Bartlett wrote:
> > On Sat, 2013-02-16 at 12:55 +1100, Andrew Bartlett wrote:
> >> On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote:
> >> > On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote:
> >> > > Thank you, Andrew. Just to be clear, you're saying I
can upgrade to 4.0.3
> >> > > (but do nothing after make install)? If it will make
things worse in any
> >> > > way, I can stay at 4.0.0. Thanks, Thomas.
> >> > 
> >> > It's fine to upgrade.  That protects you against the
security issue we
> >> > fixed in 4.0.1, and makes a significant number of other
fixes.
> >> 
> >> My current testing shows that:
> >> 
> >> samba_upgradeprovision --full
> >> dbcheck --cross-ncs [--fix [--yes]]
> >> 
> >> Will break some ACLs on DNS, and not fix one of the ACLs on the
DC's own
> >> LDAP object.  The --full is important, without that the result is
> >> actually worse (as far as I can tell).
> >> 
> >> I would like to make some progress on this before I recommend it
as the
> >> final solution.
> >> 
> >> It is however pretty close, and better than what is in the
database
> >> right now.  
> > 
> > I retract any advise to run this tool.  I hope to have patches soon,
but
> > for the moment it treats any beta or release version as being *before*
> > alpha9.  Essentially we have been caught out by a regex that never
> > expected Samba to move beyond endless alphas :-)
> > 
> > Please do not run samba_upgradeprovision under any circumstances,
until
> > I have tested patches to fix this. 
> 
> Since the discussion on samba-technical gave somehow mixed
> recommendations about whether it should be run or not, I had attempted
> to run it anyway, when I upgraded my installation from 4.0.0 to 4.0.3. 
NO!  At this point I've tried to be very clear, and I'm not sure what
part of what I've said above was not clear. 

Who suggested you should run this tool?
> I
> figured out that as I'm having some problems with my group policies
> anyway, and am not generally using them, it shouldn't hurt too much.
> (Back then, I had missed this thread, as I had mistakenly only followed
> the samba-technical list.)
> 
> Here are my experiences:
> 
> First, the command failed with python errors because I don't run DNS in
> my AD, and as such didn't have DnsAdmins group. I then went on to
create
> the said group.
> 
> Second, it asked me to run the following command, and then re-run it:
> "ldbadd -H /usr/local/samba/private/sam.ldb
/tmp/usnprovTuWu85dif"
> 
> I ran it. Don't know exactly what it did, but I didn't get any
errors.
> 
> Third, it finally didn't run at all, as it stated that multiple DC
> setups aren't supported. This wasn't stated anywhere in advance.
The
> command doesn't have a manpage, and "--help" switch
doesn't give any
> clue what the command is actually supposed to do.
This is an extra safety check we added.  But the lack of clear
documentation on this is one of the many reasons why I'm now of a mind
to remove this tool until it meets these and many other standards. 
> So in the end I didn't run it at all, as it can only be run in single
DC
> setups. But I did run the ldbadd command, and don't know how serious
> mistake that was.
> 
> Afterwards, I tried to run "samba-tool dbcheck --cross-ncs
--fix", and
> unlike in 4.0.0, it didn't manage to fix everything:
> 
> Checking 3378 objects
> ERROR: wrong instanceType 0 on CN=RID Set,CN=W2K3DC,OU=Domain
> Controllers,DC=mydomain,DC=site, should be 4
> Change instanceType from 0 to 4 on CN=RID Set,CN=W2K3DC,OU=Domain
> Controllers,DC=mydomain,DC=site? [y/N/all/none] all
> Failed to correct missing instanceType on CN=RID Set,CN=W2K3DC,OU=Domain
> Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65,
> "objectclass_attrs: at least one mandatory attribute
('rIDNextRID') on
> entry 'CN=RID Set,CN=W2K3DC,OU=Domain
Controllers,DC=mydomain,DC=site'
> wasn't specified!")
> ERROR: wrong instanceType 0 on CN=RID Set,CN=SAMBA4DC,OU=Domain
> Controllers,DC=mydomain,DC=site, should be 4
> Change instanceType from 0 to 4 on CN=RID Set,CN=SAMBA4DC,OU=Domain
> Controllers,DC=mydomain,DC=site? [YES]
> Failed to correct missing instanceType on CN=RID
> Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site by setting
> instanceType=4 : (65, "objectclass_attrs: at least one mandatory
> attribute ('rIDNextRID') on entry 'CN=RID
Set,CN=SAMBA4DC,OU=Domain
> Controllers,DC=mydomain,DC=site' wasn't specified!")
> Checked 3378 objects (0 errors)
This is a concern, and looks like it was initially due to an incorrect
implementation of the instanceType check in the dbcheck shipped with
4.0.0, after your domain was imported from a Windows 2000 level domain. 

Can you give me some more detail on this history of this domain?

It is more of a worry that it can't fix it - but this might be due to us
missing some special case logic that needs to be applied around the Rid
Set objects. 
> Don't know if I should be worried about these errors, though, or
whether
> they have anything to do with my mistaken ldbadd command.
Your ldbadd command probably just made it more difficult to ever run
samba_upgradeprovision in the future.  It doesn't change the actual
data, just some metadata notes in a special area outside the directory. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org