Re: [Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On 26.2.2013 23:53, Andrew Bartlett wrote: On Tue, 2013-02-26 at 13:36 +0200, Pekka L.J. Jalkanen wrote: On Sat, 2013-02-16 Andrew Bartlett wrote: On Sat, 2013-02-16 at 12:55 +1100, Andrew Bartlett wrote: On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote: On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote: Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 (but do nothing after make install)? If it will make things worse in any way, I can stay at 4.0.0. Thanks, Thomas. It's fine to upgrade. That protects you against the security issue we fixed in 4.0.1, and makes a significant number of other fixes. My current testing shows that: samba_upgradeprovision --full dbcheck --cross-ncs [--fix [--yes]] Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own LDAP object. The --full is important, without that the result is actually worse (as far as I can tell). I would like to make some progress on this before I recommend it as the final solution. It is however pretty close, and better than what is in the database right now. I retract any advise to run this tool. I hope to have patches soon, but for the moment it treats any beta or release version as being *before* alpha9. Essentially we have been caught out by a regex that never expected Samba to move beyond endless alphas :-) Please do not run samba_upgradeprovision under any circumstances, until I have tested patches to fix this. Since the discussion on samba-technical gave somehow mixed recommendations about whether it should be run or not, I had attempted to run it anyway, when I upgraded my installation from 4.0.0 to 4.0.3. NO! Please don't panic: like I said, I already tried it, so it's too late for remorse now. And even if I were to lose this specific DC completely, it would still not be a catastrophe. Extra work though, sure. At this point I've tried to be very clear, and I'm not sure what part of what I've said above was not clear. Everything what you wrote above was very, very clear, but perhaps I wasn't that clear when I said that I only found about this thread after the upgrade. In short: I upgraded before I had read what you said. Who suggested you should run this tool? I think that after reading your message on samba-technical (see https://lists.samba.org/archive/samba-technical/2013-February/090442.html) I thought that, OK, there are some problems, but also thought that at worst I may lose some ACLs, and I wasn't too worried about that. I also somehow thought that I either have to run this tool, or stick with 4.0.2. I know better now, but what's done is done. I figured out that as I'm having some problems with my group policies anyway, and am not generally using them, it shouldn't hurt too much. (Back then, I had missed this thread, as I had mistakenly only followed the samba-technical list.) See above: I simply hadn't read your advise here before upgrading. So don't feel bad here: it's my fault, not yours. Here are my experiences: -- cut -- Third, it finally didn't run at all, as it stated that multiple DC setups aren't supported. This wasn't stated anywhere in advance. The command doesn't have a manpage, and --help switch doesn't give any clue what the command is actually supposed to do. This is an extra safety check we added. But the lack of clear documentation on this is one of the many reasons why I'm now of a mind to remove this tool until it meets these and many other standards. That would probably be a good move. At least that would be one count less with virtually undocumented things in Samba 4 (there still would be others left, but I guess that's another topic). So in the end I didn't run it at all, as it can only be run in single DC setups. But I did run the ldbadd command, and don't know how serious mistake that was. Afterwards, I tried to run samba-tool dbcheck --cross-ncs --fix, and unlike in 4.0.0, it didn't manage to fix everything: -- cut -- Failed to correct missing instanceType on CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65, objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site' wasn't specified!) -- cut -- This is a concern, and looks like it was initially due to an incorrect implementation of the instanceType check in the dbcheck shipped with 4.0.0, after your domain was imported from a Windows 2000 level domain. Can you give me some more detail on this history of this domain? It's a long story, but I'll try to be brief. It's originally a one-DC Windows 2003 R2 domain, with which I've been trying to use S4 since beta 2 or so. But most of the time I've kept it firewalled so that only our Windows DC and a handful of clients are actually allowed to communicate with it; the rest of the clients are still using the Windows DC exclusively. I've
Re: [Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Sat, 2013-02-16 Andrew Bartlett wrote: On Sat, 2013-02-16 at 12:55 +1100, Andrew Bartlett wrote: On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote: On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote: Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 (but do nothing after make install)? If it will make things worse in any way, I can stay at 4.0.0. Thanks, Thomas. It's fine to upgrade. That protects you against the security issue we fixed in 4.0.1, and makes a significant number of other fixes. My current testing shows that: samba_upgradeprovision --full dbcheck --cross-ncs [--fix [--yes]] Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own LDAP object. The --full is important, without that the result is actually worse (as far as I can tell). I would like to make some progress on this before I recommend it as the final solution. It is however pretty close, and better than what is in the database right now. I retract any advise to run this tool. I hope to have patches soon, but for the moment it treats any beta or release version as being *before* alpha9. Essentially we have been caught out by a regex that never expected Samba to move beyond endless alphas :-) Please do not run samba_upgradeprovision under any circumstances, until I have tested patches to fix this. Since the discussion on samba-technical gave somehow mixed recommendations about whether it should be run or not, I had attempted to run it anyway, when I upgraded my installation from 4.0.0 to 4.0.3. I figured out that as I'm having some problems with my group policies anyway, and am not generally using them, it shouldn't hurt too much. (Back then, I had missed this thread, as I had mistakenly only followed the samba-technical list.) Here are my experiences: First, the command failed with python errors because I don't run DNS in my AD, and as such didn't have DnsAdmins group. I then went on to create the said group. Second, it asked me to run the following command, and then re-run it: ldbadd -H /usr/local/samba/private/sam.ldb /tmp/usnprovTuWu85dif I ran it. Don't know exactly what it did, but I didn't get any errors. Third, it finally didn't run at all, as it stated that multiple DC setups aren't supported. This wasn't stated anywhere in advance. The command doesn't have a manpage, and --help switch doesn't give any clue what the command is actually supposed to do. So in the end I didn't run it at all, as it can only be run in single DC setups. But I did run the ldbadd command, and don't know how serious mistake that was. Afterwards, I tried to run samba-tool dbcheck --cross-ncs --fix, and unlike in 4.0.0, it didn't manage to fix everything: Checking 3378 objects ERROR: wrong instanceType 0 on CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site, should be 4 Change instanceType from 0 to 4 on CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site? [y/N/all/none] all Failed to correct missing instanceType on CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65, objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site' wasn't specified!) ERROR: wrong instanceType 0 on CN=RID Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site, should be 4 Change instanceType from 0 to 4 on CN=RID Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site? [YES] Failed to correct missing instanceType on CN=RID Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65, objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site' wasn't specified!) Checked 3378 objects (0 errors) Don't know if I should be worried about these errors, though, or whether they have anything to do with my mistaken ldbadd command. Pekka L.J. Jalkanen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Tue, 2013-02-26 at 13:36 +0200, Pekka L.J. Jalkanen wrote: On Sat, 2013-02-16 Andrew Bartlett wrote: On Sat, 2013-02-16 at 12:55 +1100, Andrew Bartlett wrote: On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote: On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote: Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 (but do nothing after make install)? If it will make things worse in any way, I can stay at 4.0.0. Thanks, Thomas. It's fine to upgrade. That protects you against the security issue we fixed in 4.0.1, and makes a significant number of other fixes. My current testing shows that: samba_upgradeprovision --full dbcheck --cross-ncs [--fix [--yes]] Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own LDAP object. The --full is important, without that the result is actually worse (as far as I can tell). I would like to make some progress on this before I recommend it as the final solution. It is however pretty close, and better than what is in the database right now. I retract any advise to run this tool. I hope to have patches soon, but for the moment it treats any beta or release version as being *before* alpha9. Essentially we have been caught out by a regex that never expected Samba to move beyond endless alphas :-) Please do not run samba_upgradeprovision under any circumstances, until I have tested patches to fix this. Since the discussion on samba-technical gave somehow mixed recommendations about whether it should be run or not, I had attempted to run it anyway, when I upgraded my installation from 4.0.0 to 4.0.3. NO! At this point I've tried to be very clear, and I'm not sure what part of what I've said above was not clear. Who suggested you should run this tool? I figured out that as I'm having some problems with my group policies anyway, and am not generally using them, it shouldn't hurt too much. (Back then, I had missed this thread, as I had mistakenly only followed the samba-technical list.) Here are my experiences: First, the command failed with python errors because I don't run DNS in my AD, and as such didn't have DnsAdmins group. I then went on to create the said group. Second, it asked me to run the following command, and then re-run it: ldbadd -H /usr/local/samba/private/sam.ldb /tmp/usnprovTuWu85dif I ran it. Don't know exactly what it did, but I didn't get any errors. Third, it finally didn't run at all, as it stated that multiple DC setups aren't supported. This wasn't stated anywhere in advance. The command doesn't have a manpage, and --help switch doesn't give any clue what the command is actually supposed to do. This is an extra safety check we added. But the lack of clear documentation on this is one of the many reasons why I'm now of a mind to remove this tool until it meets these and many other standards. So in the end I didn't run it at all, as it can only be run in single DC setups. But I did run the ldbadd command, and don't know how serious mistake that was. Afterwards, I tried to run samba-tool dbcheck --cross-ncs --fix, and unlike in 4.0.0, it didn't manage to fix everything: Checking 3378 objects ERROR: wrong instanceType 0 on CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site, should be 4 Change instanceType from 0 to 4 on CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site? [y/N/all/none] all Failed to correct missing instanceType on CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65, objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site' wasn't specified!) ERROR: wrong instanceType 0 on CN=RID Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site, should be 4 Change instanceType from 0 to 4 on CN=RID Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site? [YES] Failed to correct missing instanceType on CN=RID Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65, objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site' wasn't specified!) Checked 3378 objects (0 errors) This is a concern, and looks like it was initially due to an incorrect implementation of the instanceType check in the dbcheck shipped with 4.0.0, after your domain was imported from a Windows 2000 level domain. Can you give me some more detail on this history of this domain? It is more of a worry that it can't fix it - but this might be due to us missing some special case logic that needs to be applied around the Rid Set objects. Don't know if I should be worried about these errors, though, or whether they have anything to do with my mistaken ldbadd command. Your ldbadd command probably just
Re: [Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Sat, 2013-02-16 at 12:55 +1100, Andrew Bartlett wrote: On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote: On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote: Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 (but do nothing after make install)? If it will make things worse in any way, I can stay at 4.0.0. Thanks, Thomas. It's fine to upgrade. That protects you against the security issue we fixed in 4.0.1, and makes a significant number of other fixes. My current testing shows that: samba_upgradeprovision --full dbcheck --cross-ncs [--fix [--yes]] Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own LDAP object. The --full is important, without that the result is actually worse (as far as I can tell). I would like to make some progress on this before I recommend it as the final solution. It is however pretty close, and better than what is in the database right now. I retract any advise to run this tool. I hope to have patches soon, but for the moment it treats any beta or release version as being *before* alpha9. Essentially we have been caught out by a regex that never expected Samba to move beyond endless alphas :-) Please do not run samba_upgradeprovision under any circumstances, until I have tested patches to fix this. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote: On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote: Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 (but do nothing after make install)? If it will make things worse in any way, I can stay at 4.0.0. Thanks, Thomas. It's fine to upgrade. That protects you against the security issue we fixed in 4.0.1, and makes a significant number of other fixes. My current testing shows that: samba_upgradeprovision --full dbcheck --cross-ncs [--fix [--yes]] Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own LDAP object. The --full is important, without that the result is actually worse (as far as I can tell). I would like to make some progress on this before I recommend it as the final solution. It is however pretty close, and better than what is in the database right now. These are the ldapcmp results: Comparing: 'CN=ARES,OU=Domain Controllers,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb] 'CN=ARES,OU=Domain Controllers,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb] ACEs found only in tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb: (OA;;SW;Validated-DNS-Host-Name;;DA) (OA;;SW;Validated-DNS-Host-Name;;PS) ACEs found only in tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb: (OA;;SW;DNS-Host-Name-Attributes;;DA) (OA;;SW;DNS-Host-Name-Attributes;;PS) FAILED * Result for [DOMAIN]: FAILURE * Comparing [DNSDOMAIN] context... * Objects to be compared: 39 Comparing: 'DC=release-4-0-0.samba.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb] 'DC=release-4-0-0.samba.corp,CN=MicrosoftDNS,DC=DomainDnsZones,DC=release-4-0-0,DC=samba,DC=corp' [tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb] Difference in ACE count: = 27 = 28 ACEs found only in tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_reference/private/sam.ldb: (A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED) ACEs found only in tdb:///data/samba/git/samba/st/provision/release-4-0-0_upgrade_full/private/sam.ldb: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;ED) (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;LA) FAILED Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Thu, 2013-02-14 at 18:51 -0500, Thomas Simmons wrote: Hello, Is it necessary or recommended to run 'samba-tool dbcheck --cross-ncs --fix' and 'samba-tool ntacl sysvolreset' when upgrading from 4.0.0 to 4.0.3? We are still trying to work out the safest upgrade path. In the short term, you don't need to do either, but to get the ACLs fixed, then eventually a dbcheck run will be required. We have hesitated to recommend this, as it may make it a little harder for us to have our 'samba_upgradeprovision' tool automatically correct some of the nTSecurityDescriptor values. (We had the wrong values in the provision template). The issue is that, frankly, the samba_upgradeprovision tool is an incredibly big hammer, is internally complex and finally it isn't working correctly in my tests. When run in --full mode, it does some complex manipulations to tell the difference between what a new provision would do, and what you have in the old one, and merge the difference. This is particularly hard to do for security descriptors. The alternative I'm leaning to is the simpler approach of a reset tool, that will reset some key security descriptors, and require the administrator to reinstate any specific changes they actually want. In summary, I don't have a recommended technique yet, but we hope to get one soon. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 (but do nothing after make install)? If it will make things worse in any way, I can stay at 4.0.0. Thanks, Thomas. On Thu, Feb 14, 2013 at 8:43 PM, Andrew Bartlett abart...@samba.org wrote: On Thu, 2013-02-14 at 18:51 -0500, Thomas Simmons wrote: Hello, Is it necessary or recommended to run 'samba-tool dbcheck --cross-ncs --fix' and 'samba-tool ntacl sysvolreset' when upgrading from 4.0.0 to 4.0.3? We are still trying to work out the safest upgrade path. In the short term, you don't need to do either, but to get the ACLs fixed, then eventually a dbcheck run will be required. We have hesitated to recommend this, as it may make it a little harder for us to have our 'samba_upgradeprovision' tool automatically correct some of the nTSecurityDescriptor values. (We had the wrong values in the provision template). The issue is that, frankly, the samba_upgradeprovision tool is an incredibly big hammer, is internally complex and finally it isn't working correctly in my tests. When run in --full mode, it does some complex manipulations to tell the difference between what a new provision would do, and what you have in the old one, and merge the difference. This is particularly hard to do for security descriptors. The alternative I'm leaning to is the simpler approach of a reset tool, that will reset some key security descriptors, and require the administrator to reinstate any specific changes they actually want. In summary, I don't have a recommended technique yet, but we hope to get one soon. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote: Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3 (but do nothing after make install)? If it will make things worse in any way, I can stay at 4.0.0. Thanks, Thomas. It's fine to upgrade. That protects you against the security issue we fixed in 4.0.1, and makes a significant number of other fixes. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba