s4:provision - Bump down the domain and forest level to Windows 2000

Andrew Bartlett abartlet at samba.org
Mon Sep 21 13:21:16 MDT 2009 

On Mon, 2009-09-21 at 11:13 -0700, Andrew Bartlett wrote:
> On Mon, 2009-09-21 at 11:43 -0500, Andrew Kroeger wrote:
> > Andrew Bartlett wrote:
> > > Matthias,
> > > 
> > > I'm puzzled as to why we needed to change the default functional level
> > > here.  Perhaps I'm missing something, but what was wrong with the old
> > > default?  
> > > 
> > > I'm quite happy to have options in our provision to set the domain
> > > functional level (certainly between Windows 2003 and Windows 2008
> > > level), and have scripts to change it, but the default should not be
> > > changed without discussion on the list. 
> > > 
> > > Similarly, we should not advertise a higher server functional level
> > > without carefully considering and discussing the consequences.   
> > > 
> > > I'm sorry to have to be so picky about this, but we need to work a bit
> > > closer to review your changes for their broader impact.  We have a big
> > > week of testing coming up at Microsoft, and changes like this mid-week
> > > could really throw a spanner in the works. 
> > > 
> > > Andrew Bartlett
> > 
> > Andrew:
> > 
> > I think it's time to have that discussion on the list :)
> > 
> > After your commit 23ffccd5d7c9a88d479f82043ff1b6efe938cc6a, which 
> > changed forest, domain and domain controller functionality levels to 
> > 2008, I cannot join a W2K8 server to an S4 domain.  After reverting that 
> > commit, I am again able to join a W2K8 server to an S4 domain.
> > 
> > I am attaching the relevant section of my samba.log containing details 
> > from when the domain join fails.
> 
> It looks like 'salting' to me.  Ensure you have a fresh provision (we
> changed the salting algorithm).  Perhaps there is an upgrade bug on
> secrets.ldb. 

Indeed, what happened here is that as a Windows 2008 DC, we need the
salt right.  But when I made the salting change, the use of AES was
disabled, so the incorrect choice wasn't noticed.  I'm fixing it now.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090921/775a5ad0/attachment.pgp>

More information about the samba-technical mailing list