[Samba] Crash on "samba-tool domain level raise --domain-level=2016 --forest-level=2016"
Fabio Fantoni
fabio.fantoni at m2r.biz
Mon Sep 18 15:16:02 UTC 2023
Il 28/08/2023 21:33, Andrew Bartlett ha scritto:
> On Mon, 2023-08-28 at 12:43 +0200, Fabio Fantoni via samba wrote:
>> Il 25/08/2023 14:26, Rowland Penny via samba ha scritto:
>>> On Fri, 25 Aug 2023 14:10:13 +0200
>>> Sebastian Neustein via samba <
>>> samba at lists.samba.org
>>>> wrote:
>>>> Have you tried doing it step by step: first raise domain level
>>>> and
>>>> after that raising the forest level?
>>>>
>>> An MR as been opened about this:
>>>
>>> https://gitlab.com/samba-team/samba/-/merge_requests/3237
>>>
>>>
>>> Seems someone is reading the list.
>>>
>>> Rowland
>>>
>>>
>> Thanks to Joseph Sutton for the fix, applied manually and tested,
>> this
>> issue is solved but now gave another error.
>>
>> This time I tried to raise to level 2012_R2 instead (for try to add
>> of
>> windows 2012R2 before):
>>
>>> samba-tool domain schemaupgrade --schema=2019
>>> samba-tool domain functionalprep --function-level=2012_R2
>> these was without errors but the level raise still failed with
>> another
>> error:
>>
>>> samba-tool domain level raise --domain-level=2012_R2
>>> --forest-level=2012_R2
>>> ERROR: Domain function level can't be higher than the lowest
>>> function
>>> level of a DC!
>> also tried with only domain and only forest:
>>
>>> samba-tool domain level raise --domain-level=2012_R2
>>> ERROR: Domain function level can't be higher than the lowest
>>> function
>>> level of a DC!
>>> samba-tool domain level raise --forest-level=2012_R2
>>> ERROR: Forest function level can't be higher than the domain
>>> function
>>> level(s). Please raise it/them first!
>> the latest is normal the error FWIK but the first and second I don't
>> understand the cause, is only one samba DC (this is where I'm
>> running
>> operations from)
> Samba doesn’t "support" a FL higher than 2008R2, even in Samba 4.19,
> but there is a preview of Windows 2012, 2012R2 and 2016 support in this
> release.
>
> As per the WHATSNEW, you need to set "ad dc functional level = 2012_R2"
> in the smb.conf of each DC, and on the next startup (or running this
> command) it will update the record of the DC's own functional level in
> the database, and allow this to proceed.
Thanks for reply, sorry for my stupid mistake of not copying the part of
parameter to add in the smb.conf when I had copied the commands into the
internal documentation that I used for the tests.
Today I did another test, feature level raise worked without errors.
I still had issue adding windows 2012r2 DC to samba-only domain also in
this test (similar to the previous when I added 2008R2 before) where DNS
server on windows is still not working with event id 4014:
> The DNS server was unable to initialize Active Directory security
> interfaces. Check that the Active Directory is functioning properly
> and restart the DNS server. The event data contains the error.
the replication even if windows tell is not completed on samba DC side
with "samba-tool drs showrepl" don't show errors and DNS record of new
DC in the samba dns server are present
from a search like the old of long time ago wrote about
msDS-referenceDomain attribute but I already fixed on this domain and
also tried other things related to manual operations for sysvol on
windows but don't fixes the issue
I don't know if there is something related to samba that cause the issue
or is only a windows issue, now that in samba DC is possible have higher
FL I can also try to add windows 2019 dc instead to see if is different
>
>> no error on db (I executed also before the raise test)
>>
>>> samba-tool dbcheck --cross-ncs
>>> Checking 3993 objects
>>> Checked 3993 objects (0 errors)
>> here some conf files if needed:
> Thanks. This shows the parameter isn't set.
>
>>> less /etc/samba/smb.conf
>>> # Global parameters
>>> [global]
>>> netbios name = D12DC
>>> realm = M2R.LOCAL
>>> server role = active directory domain controller
>>> workgroup = M2R
>>> dns forwarder = 8.8.8.8
>>> # for nextcloud
>>> ldap server require strong auth = no
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/m2r.local/scripts
>>> read only = No
> Thanks so much for giving Samba pre-releases a good test.
>
> It is clear our tools could better report their errors and guide users
> on how to resolve the issues.
>
> Andrew Bartlett
--
Questa email è stata esaminata alla ricerca di virus dal software antivirus Avast.
www.avast.com
More information about the samba
mailing list