Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Proper way to upgrade from rc1?

1 view
Skip to first unread message

Szymon Życiński

unread,
Dec 11, 2012, 3:30:02 PM12/11/12
to
Hello

I want to upgrade rc1 to final. What are correct steps to do it?
Downaload, build, install in the same dir and then:
/usr/local/samba/bin/samba-tool ntacl sysvolreset
Is that all? Or any other steps are required?

Szymon

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Andrew Bartlett

unread,
Dec 11, 2012, 6:30:02 PM12/11/12
to
On Tue, 2012-12-11 at 21:24 +0100, Szymon Życiński wrote:
> Hello
>
> I want to upgrade rc1 to final. What are correct steps to do it?
> Downaload, build, install in the same dir and then:
> /usr/local/samba/bin/samba-tool ntacl sysvolreset
> Is that all? Or any other steps are required?

Running the dbcheck command suggested in the release notes might also be
a good idea, but we haven't intentionally made changes that would hit.

A late change turned on read ACL enforcement, but your directory won't
have the correct ACLs set, so you can set 'acl:search=false' to return
to rc5 behaviour here, until we provide an upgrade script. (This seems
to hit joining windows DCs to the domain in particular).

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org

Szymon Życiński

unread,
Dec 13, 2012, 5:10:02 PM12/13/12
to

> Running the dbcheck command suggested in the release notes might also be
> a good idea, but we haven't intentionally made changes that would hit.

No errors found so it was not neccessery.

> A late change turned on read ACL enforcement, but your directory won't
> have the correct ACLs set, so you can set 'acl:search=false' to return
> to rc5 behaviour here, until we provide an upgrade script. (This seems
> to hit joining windows DCs to the domain in particular).

I added it to globals in smb.conf but could you explain why is it
required and what it does?

I upgraded through ssh remotely from home, after talking on phnoe with
one user at work it seems to work (login and GPO computer config).
Toomorow will know if roaming profiles and logon scripts works ok.

Hope that DNS will work now without problem (dynamic updates) and will
not have to restart samba every night becouse internal DNS gets stuck
after few days of heavy load.

Szymon

Andrew Bartlett

unread,
Dec 14, 2012, 1:10:02 AM12/14/12
to
On Thu, 2012-12-13 at 23:03 +0100, Szymon Życiński wrote:
> > Running the dbcheck command suggested in the release notes might also be
> > a good idea, but we haven't intentionally made changes that would hit.
>
> No errors found so it was not neccessery.
>
> > A late change turned on read ACL enforcement, but your directory won't
> > have the correct ACLs set, so you can set 'acl:search=false' to return
> > to rc5 behaviour here, until we provide an upgrade script. (This seems
> > to hit joining windows DCs to the domain in particular).
>
> I added it to globals in smb.conf but could you explain why is it
> required and what it does?

With that option ('acl:search=false'), we have the same behaviour that
we have before rc6, that is that all users can read all non-password
attributes. The only other change is that attributes explicitly marked
as 'confidential' are also protected from reading by normal users (this,
also in rc6, is always done now).

The new default is to apply the ntSecurityDescriptor to all reads (as
well as writes, which we have done for some time). This may well have
some unexpected consequences, particularly if the directory is an
upgrade, not a fresh provision.

> I upgraded through ssh remotely from home, after talking on phnoe with
> one user at work it seems to work (login and GPO computer config).
> Toomorow will know if roaming profiles and logon scripts works ok.
>
> Hope that DNS will work now without problem (dynamic updates) and will
> not have to restart samba every night becouse internal DNS gets stuck
> after few days of heavy load.

Do let us know if you have any remaining issues.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org

Szymon Życiński

unread,
Dec 14, 2012, 3:40:02 AM12/14/12
to
> Do let us know if you have any remaining issues.
>
> Andrew Bartlett


It look like everything works ok. Will see dns in few days. GPO, login
scripts work, so useres don't even notice change!

Good work!

Szymon

Kristofer

unread,
Dec 15, 2012, 6:00:02 PM12/15/12
to
> > > A late change turned on read ACL enforcement, but your directory won't
> > > have the correct ACLs set, so you can set 'acl:search=false' to return
> > > to rc5 behaviour here, until we provide an upgrade script. (This seems
> > > to hit joining windows DCs to the domain in particular).
> >
> > I added it to globals in smb.conf but could you explain why is it
> > required and what it does?
>
> With that option ('acl:search=false'), we have the same behaviour that
> we have before rc6, that is that all users can read all non-password
> attributes. The only other change is that attributes explicitly marked
> as 'confidential' are also protected from reading by normal users (this,
> also in rc6, is always done now).

Bingo! That fixed my issues!

Upgrading to GA failed, and I did a step-by-step upgrade and reached problems at RC6.

I have a bunch of Linux machines joined to the domain using winbind, and as of RC6 they all fail to load user information ("id username" returned no users).

The majority of winbind versions I am running are 3.5.10-125.el6 from the CentOS 6.3 repo.
0 new messages