[Samba] Crash on "samba-tool domain level raise --domain-level=2016 --forest-level=2016"

Fabio Fantoni fabio.fantoni at m2r.biz
Mon Sep 18 15:16:02 UTC 2023 

Il 28/08/2023 21:33, Andrew Bartlett ha scritto:
> On Mon, 2023-08-28 at 12:43 +0200, Fabio Fantoni via samba wrote:
>> Il 25/08/2023 14:26, Rowland Penny via samba ha scritto:
>>> On Fri, 25 Aug 2023 14:10:13 +0200
>>> Sebastian Neustein via samba <
>>> samba at lists.samba.org
>>>> wrote:
>>>> Have you tried doing it step by step: first raise domain level
>>>> and
>>>> after that raising the forest level?
>>>>
>>> An MR as been opened about this:
>>>
>>> https://gitlab.com/samba-team/samba/-/merge_requests/3237
>>>
>>>
>>> Seems someone is reading the list.
>>>
>>> Rowland
>>>
>>>
>> Thanks to Joseph Sutton for the fix, applied manually and tested,
>> this
>> issue is solved but now gave another error.
>>
>> This time I tried to raise to level 2012_R2 instead (for try to add
>> of
>> windows 2012R2 before):
>>
>>> samba-tool domain schemaupgrade --schema=2019
>>> samba-tool domain functionalprep --function-level=2012_R2
>> these was without errors but the level raise still failed with
>> another
>> error:
>>
>>> samba-tool domain level raise --domain-level=2012_R2
>>> --forest-level=2012_R2
>>> ERROR: Domain function level can't be higher than the lowest
>>> function
>>> level of a DC!
>> also tried with only domain and only forest:
>>
>>> samba-tool domain level raise --domain-level=2012_R2
>>> ERROR: Domain function level can't be higher than the lowest
>>> function
>>> level of a DC!
>>> samba-tool domain level raise --forest-level=2012_R2
>>> ERROR: Forest function level can't be higher than the domain
>>> function
>>> level(s). Please raise it/them first!
>> the latest is normal the error FWIK but the first and second I don't
>> understand the cause, is only one samba DC (this is where I'm
>> running
>> operations from)
> Samba doesn’t "support" a FL higher than 2008R2, even in Samba 4.19,
> but there is a preview of Windows 2012, 2012R2 and 2016 support in this
> release.
>
> As per the WHATSNEW, you need to set "ad dc functional level = 2012_R2"
> in the smb.conf of each DC, and on the next startup (or running this
> command) it will update the record of the DC's own functional level in
> the database, and allow this to proceed.

Thanks for reply, sorry for my stupid mistake of not copying the part of 
parameter to add in the smb.conf when I had copied the commands into the 
internal documentation that I used for the tests.

Today I did another test, feature level raise worked without errors.

I still had issue adding windows 2012r2 DC to samba-only domain also in 
this test (similar to the previous when I added 2008R2 before) where DNS 
server on windows is still not working with event id 4014:

> The DNS server was unable to initialize Active Directory security 
> interfaces. Check that the Active Directory is functioning properly 
> and restart the DNS server. The event data contains the error.
the replication even if windows tell is not completed on samba DC side 
with "samba-tool drs showrepl" don't show errors and DNS record of new 
DC in the samba dns server are present

from a search like the old of long time ago wrote about 
msDS-referenceDomain attribute but I already fixed on this domain and 
also tried other things related to manual operations for sysvol on 
windows but don't fixes the issue

I don't know if there is something related to samba that cause the issue 
or is only a windows issue, now that in samba DC is possible have higher 
FL I can also try to add windows 2019 dc instead to see if is different

>
>> no error on db (I executed also before the raise test)
>>
>>> samba-tool dbcheck --cross-ncs
>>> Checking 3993 objects
>>> Checked 3993 objects (0 errors)
>> here some conf files if needed:
> Thanks.  This shows the parameter isn't set.
>
>>> less /etc/samba/smb.conf
>>> # Global parameters
>>> [global]
>>>          netbios name = D12DC
>>>          realm = M2R.LOCAL
>>>          server role = active directory domain controller
>>>          workgroup = M2R
>>>          dns forwarder = 8.8.8.8
>>>          # for nextcloud
>>>          ldap server require strong auth = no
>>>
>>> [sysvol]
>>>          path = /var/lib/samba/sysvol
>>>          read only = No
>>>
>>> [netlogon]
>>>          path = /var/lib/samba/sysvol/m2r.local/scripts
>>>          read only = No
> Thanks so much for giving Samba pre-releases a good test.
>
> It is clear our tools could better report their errors and guide users
> on how to resolve the issues.
>
> Andrew Bartlett


-- 
Questa email è stata esaminata alla ricerca di virus dal software antivirus Avast.
www.avast.com

More information about the samba mailing list