Bug 43692 - Migrate Samba 4 DNS data from the legacy to the default partition
Migrate Samba 4 DNS data from the legacy to the default partition
Status: NEW
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 enhancement (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
: 34693 40494 (view as bug list)
Depends on: 34693 43291
  Show dependency treegraph
Reported: 2017-03-01 18:32 CET by Arvid Requate
Modified: 2019-03-29 13:11 CET (History)
3 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2017111021000201, 2017111021000452
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+

migrate_legacy_dns_zones.sh (8.92 KB, application/x-shellscript)
2017-03-01 18:32 CET, Arvid Requate
migrate_legacy_dns_zones.sh (10.17 KB, application/x-shellscript)
2017-03-27 20:18 CEST, Arvid Requate
migrate_legacy_dns_zones.sh (10.18 KB, application/x-shellscript)
2017-03-27 20:20 CEST, Arvid Requate
migrate_legacy_dns_zones (10.52 KB, application/x-shellscript)
2017-08-29 18:08 CEST, Arvid Requate

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-03-01 18:32:23 CET
Created attachment 8480 [details]

The DNS data should be migrated from the legacy position to the default DNS partition. We should at least have such a migration script.

Maybe we can release the script as part of an erratum and use it by default later. The problem is, that the bind daemons on other joined Samba AD/DCs also need to be restarted (after the DRS replication is through).

The attached script
* stops if connector/s4/mapping/dns/position != legacy
* does nothing if dns/backend != samba4
* stops bind9 & uinvention-s4-connector
* backups the zone data found below DC=DomainDnsZones
* backups the zone data found below DC=ForestDnsZones
* copies the zones below CN=System to DC=DomainDnsZones
  sipping the ._msdcs records.
* copies ._msdcs records below CN=System to DC=ForestDnsZones
  rewriting e.g. "foo._msdcs" below "dom.qa" to "foo" below "_msdcs.dom.qa"
* Removes the corresponding DNS from "DN Mapping UCS" and "DN Mapping CON"
* backups the legacy zone data found below CN=System
* renames the legacy SOA ("DC=@") records to "DC=#@",
  so bind9 will not consider them any longer after restart
* unsets connector/s4/mapping/dns/position
* starts bind9 & uinvention-s4-connector again
* runs samba_dnsupdate

Before releasing this we still need to check a couple of points:

* if this works reliably
* if additional S4 Connector cache data needs to be removed.
* if nameservers on other Samba/AD DCs continue to work
  until they are restarted at some point:
  E.g. does this still work?:  host -t soa "$(dnsdomainname)"
  And what happens when a Windows client runs DDNS against it?
  What happens when samba_dnsupdate runs the next time?
Comment 1 Arvid Requate univentionstaff 2017-03-01 18:32:51 CET
*** Bug 34693 has been marked as a duplicate of this bug. ***
Comment 2 Arvid Requate univentionstaff 2017-03-01 20:17:52 CET
Reloading the remote bind9 servers could be done this way:

univention-ssh /etc/machine.secret 'master30$'@backup31 /usr/sbin/rndc reload

if this permission would be set:

chgrp "DC Slave Hosts" /etc/bind/rndc.key

But this only helps after the updated DNS data has been replicated via DRS.
Comment 3 Arvid Requate univentionstaff 2017-03-27 20:18:34 CEST
Created attachment 8659 [details]

Script adjusted:
* Allow mixes case "dc: " and "DC: " attribute spelling
* Output more progress info about the steps that are happening

The final deactivation of the legacy data by renaming DC=@ to DC=#@ causes a reject in the S4-Connector. Maybe we can find some cleaner way to do this.
Comment 4 Arvid Requate univentionstaff 2017-03-27 20:20:55 CEST
Created attachment 8660 [details]

One additional case insensitive sed expression.
Comment 5 Arvid Requate univentionstaff 2017-04-24 17:35:19 CEST
*** Bug 40494 has been marked as a duplicate of this bug. ***
Comment 6 Arvid Requate univentionstaff 2017-08-29 18:08:36 CEST
Created attachment 9154 [details]

Updated version:

* copies nTSecurityDescriptor attributes too
* performs a "samba-tool dbcheck --fix --yes" in the end
* logs to "migrate_legacy_dns_zones-${timestamp}.log"
Comment 7 Arvid Requate univentionstaff 2019-03-29 12:32:52 CET
We should check the most recent version of this script and ship it as part of univention-samba4.