On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote: > On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote: > > Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 > > (but do nothing after make install)? If it will make things worse in any > > way, I can stay at 4.0.0. Thanks, Thomas. > > It's fine to upgrade. That protects you against the security issue we > fixed in 4.0.1, and makes a significant number of other fixes.
My current testing shows that: samba_upgradeprovision --full dbcheck --cross-ncs [--fix [--yes]] Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own LDAP object. The --full is important, without that the result is actually worse (as far as I can tell). I would like to make some progress on this before I recommend it as the final solution. It is however pretty close, and better than what is in the database right now. These are the ldapcmp results: Comparing: 'CN=ARES,OU=Domain Controllers,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb] 'CN=ARES,OU=Domain Controllers,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb] ACEs found only in tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb: (OA;;SW;Validated-DNS-Host-Name;;DA) (OA;;SW;Validated-DNS-Host-Name;;PS) ACEs found only in tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb: (OA;;SW;DNS-Host-Name-Attributes;;DA) (OA;;SW;DNS-Host-Name-Attributes;;PS) FAILED * Result for [DOMAIN]: FAILURE * Comparing [DNSDOMAIN] context... * Objects to be compared: 39 Comparing: 'DC=release-4-0-0.samba.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb] 'DC=release-4-0-0.samba.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb] Difference in ACE count: => 27 => 28 ACEs found only in tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb: (A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED) ACEs found only in tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;ED) (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;LA) FAILED Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba