samba - Nov 2015 - Problem switching to BIND9_DLZ

Hi,

I try to switch from internal DNS to bind9 on an samba-ad-dc (sernet 
4.1.23 on debian wheezy).
I try to run

samba_upgradedns --dns-backend=BIND9_DLZ

and get an python error pointing to 
/usr/lib/python2.7/dist-packages/samba/provision/__init__.py line 271

Reading domain information
Traceback (most recent call last):
   File "/usr/sbin/samba_upgradedns", line 261, in <module>
     paths, lp.configfile, lp)
   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 271, in find_provision_key_parameters
     names.policyid =
str(res7[0]["cn"]).replace("{","").replace("}","")
IndexError: list index out of range


That is the names.policyid line in below snippet

-----------------------------------
     res7 = samdb.search(expression="(displayName=Default Domain
Policy)",
                         base="CN=Policies,CN=System," + basedn,
                         scope=ldb.SCOPE_ONELEVEL, 
attrs=["cn","displayName"])
     names.policyid =
str(res7[0]["cn"]).replace("{","").replace("}","")
     # dc policy guid
     res8 = samdb.search(expression="(displayName=Default Domain 
Controllers Policy)",
                             base="CN=Policies,CN=System," + basedn,
                             scope=ldb.SCOPE_ONELEVEL,
                             attrs=["cn","displayName"])
     if len(res8) == 1:
         names.policyid_dc = 
str(res8[0]["cn"]).replace("{","").replace("}","")
     else:
         names.policyid_dc = None
-----------------------------------

When I compare the branch in question System.Policies.[basedn] with 
another server which migrated fine using above comman i find
these entries on the working server with the correct displayName:

CN={31B2F340-016D-11D2-945F-00C04FB984F9} -> displayName=Default Domain 
Policy
CN={6AC1786C-016F-11D2-945F-00C04FB984F9} -> displayName=Default Domain 
Controllers Policy

On the server with the migration failing i find entries with the same 
id's but different displayName values.

CN={31B2F340-016D-11D2-945F-00C04FB984F9} -> displayName=[my domain name]
CN={6AC1786C-016F-11D2-945F-00C04FB984F9} -> displayName=domain

Looking into GPO management it seems i renamed these two policies a 
while ago. There are no GPO related issues here with them renamed.
I wonder if it is safe to use None for names.policyid as well like it is 
used for names.policyid_dc if not found.

if len(res7) == 1:
         names.policyid =
str(res7[0]["cn"]).replace("{","").replace("}","")
     else:
         names.policyid = None

Server is in production so i ask here before testing (of course after an 
snapshot of that vm).

Thanks in advance
achim~

Am 13.11.2015 um 07:11 schrieb Achim Gottinger:
> Hi,
>
> I try to switch from internal DNS to bind9 on an samba-ad-dc (sernet 
> 4.1.23 on debian wheezy).
> I try to run
>
> samba_upgradedns --dns-backend=BIND9_DLZ
>
> and get an python error pointing to 
> /usr/lib/python2.7/dist-packages/samba/provision/__init__.py line 271
>
> Reading domain information
> Traceback (most recent call last):
>   File "/usr/sbin/samba_upgradedns", line 261, in <module>
>     paths, lp.configfile, lp)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 271, in find_provision_key_parameters
>     names.policyid =
str(res7[0]["cn"]).replace("{","").replace("}","")
> IndexError: list index out of range
>
>
> That is the names.policyid line in below snippet
>
> -----------------------------------
>     res7 = samdb.search(expression="(displayName=Default Domain
Policy)",
>                         base="CN=Policies,CN=System," + basedn,
>                         scope=ldb.SCOPE_ONELEVEL, 
> attrs=["cn","displayName"])
>     names.policyid =
str(res7[0]["cn"]).replace("{","").replace("}","")
>     # dc policy guid
>     res8 = samdb.search(expression="(displayName=Default Domain 
> Controllers Policy)",
>                             base="CN=Policies,CN=System," +
basedn,
>                             scope=ldb.SCOPE_ONELEVEL,
>                             attrs=["cn","displayName"])
>     if len(res8) == 1:
>         names.policyid_dc = 
>
str(res8[0]["cn"]).replace("{","").replace("}","")
>     else:
>         names.policyid_dc = None
> -----------------------------------
>
> When I compare the branch in question System.Policies.[basedn] with 
> another server which migrated fine using above comman i find
> these entries on the working server with the correct displayName:
>
> CN={31B2F340-016D-11D2-945F-00C04FB984F9} -> displayName=Default 
> Domain Policy
> CN={6AC1786C-016F-11D2-945F-00C04FB984F9} -> displayName=Default 
> Domain Controllers Policy
>
> On the server with the migration failing i find entries with the same 
> id's but different displayName values.
>
> CN={31B2F340-016D-11D2-945F-00C04FB984F9} -> displayName=[my domain
name]
> CN={6AC1786C-016F-11D2-945F-00C04FB984F9} -> displayName=domain
>
> Looking into GPO management it seems i renamed these two policies a 
> while ago. There are no GPO related issues here with them renamed.
> I wonder if it is safe to use None for names.policyid as well like it 
> is used for names.policyid_dc if not found.
>
> if len(res7) == 1:
>         names.policyid = 
>
str(res7[0]["cn"]).replace("{","").replace("}","")
>     else:
>         names.policyid = None
>
> Server is in production so i ask here before testing (of course after 
> an snapshot of that vm).
>
> Thanks in advance
> achim~
I circumvented the issue by renaming the GPO to "Default Domain
Policy"
run the script and rename the GPO back.

On 13/11/15 07:00, Achim Gottinger wrote:
>
>
> Am 13.11.2015 um 07:11 schrieb Achim Gottinger:
>> Hi,
>>
>> I try to switch from internal DNS to bind9 on an samba-ad-dc (sernet 
>> 4.1.23 on debian wheezy).
>> I try to run
>>
>> samba_upgradedns --dns-backend=BIND9_DLZ
>>
>> and get an python error pointing to 
>> /usr/lib/python2.7/dist-packages/samba/provision/__init__.py line 271
>>
>> Reading domain information
>> Traceback (most recent call last):
>>   File "/usr/sbin/samba_upgradedns", line 261, in
<module>
>>     paths, lp.configfile, lp)
>>   File 
>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
>> 271, in find_provision_key_parameters
>>     names.policyid =
str(res7[0]["cn"]).replace("{","").replace("}","")
>> IndexError: list index out of range
>>
>>
>> That is the names.policyid line in below snippet
>>
>> -----------------------------------
>>     res7 = samdb.search(expression="(displayName=Default Domain 
>> Policy)",
>>                         base="CN=Policies,CN=System," +
basedn,
>>                         scope=ldb.SCOPE_ONELEVEL, 
>> attrs=["cn","displayName"])
>>     names.policyid =
str(res7[0]["cn"]).replace("{","").replace("}","")
The problem is the way the search is being carried out, It is taken from 
'find_provision_key_parameters' and it expects that the policy is named 
'Default Domain Policy', this is something that can be changed. If the 
policy name is changed, the search will fail (silently) and then when it 
tries to set 'names.policyid' it then complains.

The search would probably be better something like this:

res7 = 
samdb.search(expression="(name={31B2F340-016D-11D2-945F-00C04FB984F9})",
                         base="CN=Policies,CN=System," + basedn,
                         scope=ldb.SCOPE_ONELEVEL, 
attrs=["cn","displayName"])
     names.policyid =
str(res7[0]["cn"]).replace("{","").replace("}","")

which is the same as:

ldbsearch -H /usr/local/samba/private/sam.ldb -b 
"cn=Policies,cn=System,dc=samdom,dc=example,dc=com" -s one 
'(name={31B2F340-016D-11D2-945F-00C04FB984F9})' cn displayName

which returns:

# record 1
dn: 
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=example,DC=com
cn: {31B2F340-016D-11D2-945F-00C04FB984F9}
displayName: Default Domain Policy

Rowland
>>     # dc policy guid
>>     res8 = samdb.search(expression="(displayName=Default Domain 
>> Controllers Policy)",
>>                             base="CN=Policies,CN=System," +
basedn,
>>                             scope=ldb.SCOPE_ONELEVEL,
>>                            
attrs=["cn","displayName"])
>>     if len(res8) == 1:
>>         names.policyid_dc = 
>>
str(res8[0]["cn"]).replace("{","").replace("}","")
>>     else:
>>         names.policyid_dc = None
>> -----------------------------------
>>
>> When I compare the branch in question System.Policies.[basedn] with 
>> another server which migrated fine using above comman i find
>> these entries on the working server with the correct displayName:
>>
>> CN={31B2F340-016D-11D2-945F-00C04FB984F9} -> displayName=Default 
>> Domain Policy
>> CN={6AC1786C-016F-11D2-945F-00C04FB984F9} -> displayName=Default 
>> Domain Controllers Policy
>>
>> On the server with the migration failing i find entries with the same 
>> id's but different displayName values.
>>
>> CN={31B2F340-016D-11D2-945F-00C04FB984F9} -> displayName=[my domain 
>> name]
>> CN={6AC1786C-016F-11D2-945F-00C04FB984F9} -> displayName=domain
>>
>> Looking into GPO management it seems i renamed these two policies a 
>> while ago. There are no GPO related issues here with them renamed.
>> I wonder if it is safe to use None for names.policyid as well like it 
>> is used for names.policyid_dc if not found.
>>
>> if len(res7) == 1:
>>         names.policyid = 
>>
str(res7[0]["cn"]).replace("{","").replace("}","")
>>     else:
>>         names.policyid = None
>>
>> Server is in production so i ask here before testing (of course after 
>> an snapshot of that vm).
>>
>> Thanks in advance
>> achim~
> I circumvented the issue by renaming the GPO to "Default Domain 
> Policy" run the script and rename the GPO back.
>
>