I would like to add my observations on this bug after upgrading from stretch to 10.1.
The apparmor fixes seem OK so far. My samba system was originally created by moving a samba-3 system from CentOS 6 to Debian 9 and then using the samba tools to migrate to an ad-dc system. I mention this, because that migration path, while surprisingly smooth, was not without a need for some manual intervention. So some of what I obseved might be specific to my situation, since it was not installed on Debian from scratch. At the end of the Buster upgrade, everything seemed to be running OK, however once I needed to make some changes to and check the bind9 config the problems became apparent. 1. the bind config was still pointing at /var/lib/samba/private/named.conf and that file was still loading the 9.10 library, rather than 9.11. 2. After fixing that, I ran the suggested test of "samba_dnsupdate --verbose --all-names" and every line reported "failed". 3. I then tried the suggestion from the samba wiki of "samba_upgradedns --dns-backend=BIND9_DLZ" That failed due to the non-existence of the /var/lib/samba/bind-dns directory, which led me to this bug report. I manually created that directory, gave it what I guessed might be suitable group ownership and permissions, and reran the samba_upgradedns script. The result of that was that there were no errors, and the program reported that I needed to manually adjust the two entries in the bind9 config files to point to the new directory. So it seems to me that the problem could be safely fixed by changing the samba_upgradedns script to check for and create the bind-dns folder if necessary. (I suppose that is an upstream issue and the full ramifications would need to be considered) Running this script in postinst would be appropriate, but you would somehow need to determine that the user was already using the bind9_dlz backend. The result of the upgrade script running is that: 1. the new config file is created, that loads the correct version dlz library (but "including" that file needs to be manually edited in main bind9 config (options or local - wiki says .local, but mine was in .options)) 2. the gssapi-key file is created as a hard link between private and bind-dns locations, so old config still works, but user is advised to manually update the bind9 .options file. Cameorn.
