When trying to run upgradeprovision after building the new version, this script is always running into an error: - upgradeprovision without parameters is telling me to use --full as the dynamic dns settings in the old version omit "quick" upgrade - upgradeprovision --full show the following error output: Creating a reference provision Copy previlege Update base samdb by searching difference with reference one Starting update of samdb There are 1 missing objects Reloading a merged schema, which might trigger reindexing so please be patient Schema reloaded! Exception during upgrade of samdb: Traceback (most recent call last): File "./source4/scripting/bin/upgradeprovision",line 1099, in update_partition provisionUSNs, names.invocation) File "./source4/scripting/bin/upgradeprovision", line 908, in update_present if get_diff_sddls(refsddl, cursddl) == "": File "bin/python/samba/upgradehelpers.py" line 487, in get_diff_sddls if hash_new["owner"] != hash_ref["owner"]: KeyError: 'owner' Update failed Using ubuntu 10.10, old samba version is Version 4.0.0alpha12-GIT-dace013, new samba version is Version 4.0.0alpha15-GIT-6d0be9e
For ekacnet.
any news on how to fix this already?
Thanks for the headup I didn't had a look yet on this, but I tried yesterday for another problem to upgrade from alpha11 to alpha15 and it was ok. Would you mind trying with the new alpha15 release and also use the --debugall flag on command line for more informations ? Matthieu.
Created attachment 6436 [details] upgrade script output Hi Matthieu, unfortunately, it still do not work. I retried with Version 4.0.0alpha15-GIT-d874279. The error message is still the same. Please find attached the script output with --debugall flag as requested. Please also note that I needed to start the script from the samba directory: ./source4/scripting/bin/upgradeprovision If I tried it to start from the source4 dir as stated in the upgradeing-samba4.txt, I get always the error "Import Error: no module named ldb". Regards, Dirk
What about of the --debugall flag ? can you use it and post here the output ? it will gives me some clues !
Matthieu, the file I attached yesterday (upgrade script output) was already generated with the --debugall flag of the script. Let me know if you need any further information
Matthieu, were you able to find out anything on this in the meantime? Dirk
Well the output is strange. Are you sure that you run upgradeprovision --full --debugall ? See my log for --debugchange and you'll see that it's much important than yours already. Matthieu.
Created attachment 6501 [details] Example of log of upgradeprovision
Created attachment 6514 [details] screenshots of upgrade process
Hi Matthieu, I am pretty sure I did. I just retried after compiling the latest available source - unfortunately with the same result as earlier tries. See screenshots of what I did attached. Regards, Dirk
Ok I trust you, can you try to apply this patch: diff --git a/source4/scripting/python/samba/upgradehelpers.py b/source4/scripting/python/samba/upgradehelpers.py index 16e4ea0..185d997 100755 --- a/source4/scripting/python/samba/upgradehelpers.py +++ b/source4/scripting/python/samba/upgradehelpers.py @@ -372,6 +372,8 @@ def get_diff_sddls(refsddl, cursddl): """ txt = "" + print cursddl + print refsddl hash_new = chunck_sddl(cursddl) hash_ref = chunck_sddl(refsddl) and rerun and post the output
Created attachment 6517 [details] upgradescript output attached the file with the script output after applying the patch. Hope this helps narrowing down the problem
Ok that's clearer, I'm still a bit surprised that's why I'd like to know which object has this DN, can you add this patch as well ? and post the output ? diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision index e58a264..86bf818 100755 --- a/source4/scripting/bin/upgradeprovision +++ b/source4/scripting/bin/upgradeprovision @@ -907,6 +907,7 @@ def update_present(ref_samdb, samdb, basedn, listPresent, usns, invocationid): str(reference[0]["nTSecurityDescriptor"])) refsddl = cursd.as_sddl(names.domainsid) + print current[0]["dn"] if get_diff_sddls(refsddl, cursddl) == "": message(CHANGE, "sd are identical") else:
Also we can try get in touch on IRC it would ease the back and forth dialog.
Created attachment 6518 [details] new output new output after 2nd patch . P.S. I am currently on on #samba-technical
Well you should have something like this: nTSecurityDescriptor: O:DAG:DUD:AI(A;;RPLCLORC;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSD DTSW;;;SY)(A;;RPLCLORC;;;AU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e052 9;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a7 68-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f20201 0-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CII OID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa00304 9e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc- 9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967 aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c0 4fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a2- 11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP; 037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU) (OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00 aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de 6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f60 8;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-85 4e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC;; 4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-11 d0-a285-00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa0030 49e2;RU)(OA;CIIOID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;RP WPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW; ;;BA)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d 0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf9 67aa5-0de6-11d0-a285-00aa003049e2;WD) That's strange that the reference provision have also a broken Security descriptor. Could you try to create a test provision like this: ./source4/setup/provision --realm paulis-home.local --domain PAULIS-HOME --server-role=dc --targetdir=/tmp/tests and do then ./bin/ldbsearch -H /tmp/tests/private/sam.ldb ntsecuritydescriptor and post the output ? By doing so I want to see if a standalone provision is able to create the correct security descriptor.
Created attachment 6521 [details] ldbsearch output as requested ldbsearch result of test provision
Ok I found a small problem and released a fix to deal with the fact that the SD in to be updated provision might not have owner or group. Can you revert the different change that I asked and try the two following patches.
Created attachment 6522 [details] First patch, fix the origin of refsddl
Created attachment 6523 [details] Second patch, accept more variety of SD
Created attachment 6564 [details] debug output after applying patches after reverting the first two changes and applying the 2 new patches, the script is running far longer, but still failing (with a different error). see attached logfile dbg3.txt
Created attachment 6566 [details] patch for last problem
Hi Dirk, Someone introduced a regression lately, the last patch should fix it. Please rebuild your samba before trying upgraderprovison
Looks like it is working now! Thank you - from my perspective, this Bug can be closed after publishing the patches. Regards, Dirk
According to http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=5db07d2f42e6bbc0023a504f30b9dcc8fd31b230 this should have been fixed.
Dirk, Your issue has forced me to go back to upgradeprovision, I released something like 30 patches for it today, so chances are that your provision is not 100% correct :-). Especially I found problems with the calculation of the group of mostly each security descriptor. Would be safe to upgrade to current git and rerun upgradeprovision.