s4:provision - Bump down the domain and forest level to Windows 2000

Andrew Kroeger andrew at id10ts.net
Mon Sep 21 13:34:35 MDT 2009

Andrew Bartlett wrote:
> On Mon, 2009-09-21 at 11:43 -0500, Andrew Kroeger wrote:
>> Andrew Bartlett wrote:
>>> Matthias,
>>> I'm puzzled as to why we needed to change the default functional level
>>> here.  Perhaps I'm missing something, but what was wrong with the old
>>> default?  
>>> I'm quite happy to have options in our provision to set the domain
>>> functional level (certainly between Windows 2003 and Windows 2008
>>> level), and have scripts to change it, but the default should not be
>>> changed without discussion on the list. 
>>> Similarly, we should not advertise a higher server functional level
>>> without carefully considering and discussing the consequences.   
>>> I'm sorry to have to be so picky about this, but we need to work a bit
>>> closer to review your changes for their broader impact.  We have a big
>>> week of testing coming up at Microsoft, and changes like this mid-week
>>> could really throw a spanner in the works. 
>>> Andrew Bartlett
>> Andrew:
>> I think it's time to have that discussion on the list :)
>> After your commit 23ffccd5d7c9a88d479f82043ff1b6efe938cc6a, which 
>> changed forest, domain and domain controller functionality levels to 
>> 2008, I cannot join a W2K8 server to an S4 domain.  After reverting that 
>> commit, I am again able to join a W2K8 server to an S4 domain.
>> I am attaching the relevant section of my samba.log containing details 
>> from when the domain join fails.
> It looks like 'salting' to me.  Ensure you have a fresh provision (we
> changed the salting algorithm).  Perhaps there is an upgrade bug on
> secrets.ldb. 
> Andrew Bartlett


I just confirmed that commit 23ffccd5d7c9a88d479f82043ff1b6efe938cc6a is 
in fact causing my issue.  I did a fresh pull from master (through 
commit e440a2e11e78a562f97971c0dfe0cf3f694996ff) on a clean branch (no 
local modifications).  I performed a clean build, fresh install and 
fresh provision, and I could not join a W2K8 server to the S4 domain 
again.  I reverted commit 23ffccd5d7c9a88d479f82043ff1b6efe938cc6a, did 
another clean build, fresh install and fresh provision, and then I could 
successfully join the W2K8 server to the S4 domain.

I'm currently running W2K8 SP2 with all updates applied, but I also saw 
the error with a base W2K8 install (no SP or updates installed).

I'm willing to run additional tests to help track this down if you are 
having problems reproducing the issue.

Andrew Kroeger

More information about the samba-technical mailing list