samba - Jun 2017 - Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...

Hai, 

The "scripts" are not the problem, i'll explain more. 

A failty configured smb.conf is the problem, or a smb.conf which contained
"removed" settings.
Which exist in a lots of setups. 
You need to setup you smb.conf to match 4.5.x settings "before" you
upgrade, then you dont have any problems upgradeing.

If we can think of a way to this before the upgrade starts.. 

- match settings for a new samba version 4.5.x 
- check agains smb.conf
- correct these settings
- and start upgrading. 
For example, just before package install, call a "test-smb.conf"
script and run test.
If it fails, skip the packages and point out what is the problem. 

But i dont see a way to do that, because, imo, its hard to "correct"
settings, based on what the installer, does not know.
And that is the way the user did setup, for some reason. 

Now samba 4.6 has samba-tool testparm that check failty idmappings. 
But in Marco's case he would have had the same problem when upgrading due to
the change in security settings.

Maybe, but this is more a question for developers.
Make samba test agains current and new settings and before upgrading a packages,
is should have pointed out what is changed.
Like what a user "should" do before he upgrade to any new version (
4.2.x to 4.3. to 4.4.x etc )
And in this case of "Debian" packages. 

Any version upgrade from wheezy ( 3.6.x or 4.1.17), Jessie 4.2.x , stretch 4.5.x
can be effected by this.
It's all about the smb.conf settings. 
This is why i have : 
http://downloads.van-belle.nl/samba4/Upgrade-info.txt 
But i'm missing the security = setting ( probely because it's removed as
of 4.0 )
I started with 4.1 in the Upgrade-info.txt 


Greetz, 

Louis




 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 23 juni 2017 13:23
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Upgrading samba from jessie (4.2) to 
> stretch (4.5) in AD mode...
> 
> On Fri, 23 Jun 2017 12:40:35 +0200
> Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> 
> > Mandi! Rowland Penny via samba
> >   In chel di` si favelave...
> > 
> > > > Better to fire up a bug in debian BTS?
> > 
> > > Which version of samba did you upgrade to ?
> > > Where did it come from, a Debian repo or Louis's ?
> > 
> > Louis's repo. 2:4.5.8+dfsg-2~bpo8+1 .
> > 
> > 
> > > Which package is the postinst script in ?
> > 
> > 'winbind'.
> > 
> > > If I can get this info, I will check just what the script 
> is trying 
> > > to do.
> > 
> 
> OK, winbind used to be installed automatically, but you must 
> now install it manually, so does this mean that winbind will 
> be treated as a new installation by Debian ?
> 
> If so, it appears that this is run:
> 
> if deb-systemd-helper --quiet was-enabled winbind.service; then
> 	# Enables the unit on first installation, creates new
> 	# symlinks on upgrades if the unit file has changed.
> 	deb-systemd-helper enable winbind.service >/dev/null || true
> 
> If it isn't being treated as 'new' install, then the
'winbind.service'
> file is installed but not enabled.
> 
> If the 'postinst' script is run with 'configure' (which it
probably
> is) then this is run:
> 
> if [ "$1" = "configure" ] || [ "$1" =
"abort-upgrade" ]; then
>     if [ -x "/etc/init.d/winbind" ]; then
> 	update-rc.d winbind defaults >/dev/null
> 	invoke-rc.d winbind start || exit $?
>     fi
> fi
> 
> So, as 'winbind' tries to be started on a DC, at least one of 
> the above is being run. Shouldn't the script check if 
> smb.conf has been set up as a DC and not do either if it has ?
> 
> Rowland
>  
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 23 Jun 2017 14:15:28 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> The "scripts" are not the problem, i'll explain more. 
> 
I cannot really comment on the systemd settings because I do not use
it, but I can comment on this:

if [ "$1" = "configure" ] || [ "$1" =
"abort-upgrade" ]; then
	if [ -x "/etc/init.d/winbind" ]; then
		update-rc.d winbind defaults >/dev/null
		invoke-rc.d winbind start || exit $?
	fi
fi

Saying that is all down to a badly configured smb.conf is missing the point.
It would seem that debian is treating an upgrade of winbind as a new
install, so the code fragment above gets run and it makes the 'winbind'
init script run at boot and then tries to start winbind. Surely it
should be something like this:


if [ "$1" = "configure" ] || [ "$1" =
"abort-upgrade" ]; then
    SERVER_ROLE=$(samba-tool testparm --parameter-name="server role" 
2>/dev/null | tail -1 || true)
    if [ "$SERVER_ROLE" != "active directory domain
controller" ]; then
	    if [ -x "/etc/init.d/winbind" ]; then
		    update-rc.d winbind defaults >/dev/null
		    invoke-rc.d winbind start || exit $?
	    fi
    fi
fi

This way, winbind will only get enabled and started if smb.conf isn't
already set up as a DC, which it wont be, if it is a new install or if
smb.conf is set up as something else and Samba is being upgraded.

Rowland

Hai, 

Maybe but that on wont catch the "security = share" settings also. 
That settings is removed in 4.0. 
Debian 3.6 => 4.1.17 => 4.2.10 => 4.5.8 
So if one payed attention to the 3.6 to 4.1 upgrade the "security =
share" would already have been removed, but in this case not.

Own and this also happens on a member server.. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 23 juni 2017 14:56
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Upgrading samba from jessie (4.2) to 
> stretch (4.5) in AD mode...
> 
> On Fri, 23 Jun 2017 14:15:28 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > Hai,
> > 
> > The "scripts" are not the problem, i'll explain more. 
> > 
> 
> I cannot really comment on the systemd settings because I do 
> not use it, but I can comment on this:
> 
> if [ "$1" = "configure" ] || [ "$1" =
"abort-upgrade" ]; then
> 	if [ -x "/etc/init.d/winbind" ]; then
> 		update-rc.d winbind defaults >/dev/null
> 		invoke-rc.d winbind start || exit $?
> 	fi
> fi
> 
> Saying that is all down to a badly configured smb.conf is 
> missing the point.
> It would seem that debian is treating an upgrade of winbind 
> as a new install, so the code fragment above gets run and it 
> makes the 'winbind'
> init script run at boot and then tries to start winbind. 
> Surely it should be something like this:
> 
> 
> if [ "$1" = "configure" ] || [ "$1" =
"abort-upgrade" ]; then
>     SERVER_ROLE=$(samba-tool testparm 
> --parameter-name="server role"  2>/dev/null | tail -1 || true)
>     if [ "$SERVER_ROLE" != "active directory domain 
> controller" ]; then
> 	    if [ -x "/etc/init.d/winbind" ]; then
> 		    update-rc.d winbind defaults >/dev/null
> 		    invoke-rc.d winbind start || exit $?
> 	    fi
>     fi
> fi
> 
> This way, winbind will only get enabled and started if 
> smb.conf isn't already set up as a DC, which it wont be, if 
> it is a new install or if smb.conf is set up as something 
> else and Samba is being upgraded.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 23 Jun 2017 15:04:16 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> Maybe but that on wont catch the "security = share" settings
also.
> That settings is removed in 4.0. 
> Debian 3.6 => 4.1.17 => 4.2.10 => 4.5.8 
> So if one payed attention to the 3.6 to 4.1 upgrade the "security >
share" would already have been removed, but in this case not.
> 
> Own and this also happens on a member server.. 
> 
Well yes, but Samba now recommends running winbind by default on
everything but a standalone server (it is just at a DC does it for you)

Rowland