Univention Bugzilla – Bug 53221
With 200k users samba doesn't start after update from UCS 4.4-8 to UCS 5.0-0
Last modified: 2023-08-03 18:45:18 CEST
We need a technical solution for this. +++ This bug was initially created as a clone of Bug #53212 +++ With 200k users samba doesn't start after update from UCS 4.4-8 to UCS 5.0-0 Something with ldb seems stuck. E.g. this command doesn't return ldbdel -H /var/lib/samba/private/sam.ldb foo
We have pre-joined KVM templates, a master with 200.000+ user objects and a backup (4.4-8). This setup can be started with -> KVM_BUILD_SERVER=soft-test02 DOCKER=true release_update=testing ./utils/start-test.sh ./product-tests/samba/bigenv-new.cfg or via jenkins Product-Test -> Samba bigenv to reproduce the problem. Once this is fixed, please also update ./product-tests/samba/bigenv-new.cfg!
(In reply to Felix Botner from comment #2) > We have pre-joined KVM templates, a master with 200.000+ user objects and a > backup (4.4-8). This setup can be started with > > -> KVM_BUILD_SERVER=soft-test02 DOCKER=true release_update=testing > ./utils/start-test.sh ./product-tests/samba/bigenv-new.cfg > > or via jenkins Product-Test -> Samba bigenv > > to reproduce the problem. > > Once this is fixed, please also update ./product-tests/samba/bigenv-new.cfg! ./product-tests/samba/bigenv.cfg
Created attachment 10745 [details] migrate-samldb-from-tdb-to-mdb The attempts with * samba-tool domain backup online * samba-tool drs clone-dc-database had the nasty side effect of changing all uSNChanged/uSNCreated values, which breaks DRS replication unless we also change the invocationId. Maybe that would have worked, but I didn't continue down that road. I found a solution that seems to work much nicer (less data conversion, less risk, pretty fast, and the other DCs won't even notice). The attached script just works on the key-value backend database level and treats the keys and values as opaque blobs instead of parsing them as LDB objects. At its core it just uses python-tdb to read the TDB files and python-lmdb to write the MDB files and then flips the switch to activate MDB handling in sam.ldb. It runs dbcheck by default before and after the migration, which can be disabled via command line option (for QA test runs).
Created attachment 10746 [details] migrate-samldb-from-tdb-to-mdb I've adjusted the script to also work with the "encryptedSecrets" feature in more recent Samba versions that causes password hashes on disk to be protected by a layer of encryption. I've created a new help article: https://help.univention.com/t/pre-update-checks-for-ucs-5-0-0-aborts-warning-about-a-very-large-samba-tdb-database/18014 If that's ok, then we should update the error message in the preup-check to the new article.
Jenkins: OK Manual Tests: OK Reversion in case of error: OK help-article: OK TODO: Adjust preup-chekc message accordingly
3e49b690 Adjust link help.univention.de in preup-check Package: univention-updater Version: 15.0.3-66A~5.0.0.202106141124 Branch: ucs_5.0-0 Scope: errata5.0-0 For QA: * pre-check-script + gpg (only internal): /var/univention/buildsystem2/test_mirror/ftp/download/univention-update-checks/pre-update-checks-5.0-0 * preup.sh + gpg: http://updates-test.knut.univention.de/dists/ucs500/
Message: OK Released to testing: OK /var/univention/buildsystem2/test_mirror/ftp/download/univention-update-checks/pre-update-checks-5.0-0 OK http://updates-test.knut.univention.de/dists/ucs500/ OK Verified
The new preup-check has been released