status of DRS efforts in Samba4 (and a developer tutorial)

Matthias Dieter Wallnöfer mdw at samba.org
Tue Sep 22 05:50:23 MDT 2009


Andrew Kroeger,

your work is highly appreciated. I applied your patches in a slightly 
different version to my personal branch - since this week I agreed with 
abartlet and tridge to not push directly to "master" (as you may know: 
they perform important tests in the MS labs and prefer a stable release).

But afterwards I hope to merge it soon.

As I already told you in a recent email: if you have some interest to 
continue to work on the password policies in s4 please tell me. 
Otherwise I'll try to do it sooner or later.

Greets,
Matthias

Andrew Kroeger schrieb:
> tridge at samba.org wrote:
>> ---------------------------------------------
>> - join w2k8 to samba4 dc
>>
>> We've been concentrating up to now on Samba4<->Samba4 replication, and
>> Samba4<->Windows replication where the Samba4 server joins the Windows
>> domain. A more difficult problem is making it work when you start with
>> a Samba4 domain (from provision, or from vampiring a Windows domain)
>> and then try to add another Windows DC by using dcpromo. This is
>> currently failing with an obscure error at the end of the dcpromo
>> process.
>
> All:
>
> I did some work on this and made some progress, but I now find myself 
> stuck and cannot figure out what is happening.  My initial attempt at 
> running dcpromo under W2K8 server ended with the error message:
>
>> To install a domain controller into this Active Directory forest, you
>> must first prepare the forest using "adprep /forestprep".  The
>> Adprep utility is available on the Windows 2008 Server installation
>> media in the \sources\adprep folder.
>
> I looked through the samba.log and was able to determine the LDAP 
> queries dcpromo was using to determine that adprep needed to run.  
> Based on a comparison of those LDAP queries against a S4 DC and a W2K8 
> DC, I found two issues:
>
> 1.  The objectVersion attributes of ${SCHEMADN} were different. We had 
> it set to 30 (W2K3 schema version) while the W2K8 DC had 44 (W2K8 
> schema).  After changing our objectVersion to 44 (we are using a W2K8 
> schema after all), the error still occurred.  Patch for this change is 
> attached.
>
> 2.  I found three LDAP entries that dcpromo queried for that were 
> present on the W2K8 DC, but not present on the S4 DC.  These values are:
>
> - CN=ActiveDirectoryUpdate,CN=ForestUpdates,${CONFIGDN}
> - CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,${DOMAINDN}
> - CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,${CONFIGDN}
>
> After some additional research, I found that these entries are created 
> by the adprep utility (for the /forestprep, /domainprep and /rodcprep 
> options, respectively).  After adding these entries (and the 
> respective values for the revision attribute, as observed on a W2K8 
> DC), I no longer receive the above adprep error message when running 
> dcpromo.  A patch with these changes is also attached.
>
> After making the above changes, I can now run dcpromo to the point is 
> starts configuring itself as a DC (pulling data from S4 or whatever 
> steps it is actually doing under the hood).
>
> I now receive the following error before the actual dcpromo run can 
> finish:
>
>> The operation failed because:
>>
>> An unknown error occurred while installing Active Directory
>> Domain Services.
>>
>> "An error occurred while installing the directory service.  For more
>> information, see the event log."
>
> Looking in the event log gives the following detail for Event ID 1523:
>
>> The Active Directory Domain Services schema cache load could not 
>> convert the default security descriptor on the following schema class 
>> object.  
>> Security descriptor:
>> D:(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA) 
>>
>> (OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW 
>>
>> ;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6- 
>>
>> 11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CI 
>>
>> IO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RPRC;;;RU)(OA;C 
>>
>> IIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(A;;LCRPLORC;;;ED)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf; 
>>
>> 4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E 
>>
>> 5F28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;; 
>>
>> RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa 
>>
>> 003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;113 
>>
>> 1f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;ccc2dc7 
>>
>> d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;CIIO;CRRPWP;91e647de-d96f 
>>
>> -4b70-9557-d63ff4f3ccd8;;PS)S:(AU;SA;WDWOWP;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f8 
>>
>> 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) Schema class object:
>> CN=Domain-DNS,CN=Schema,O=Boot  
>> As a result, the schema cache load will fail.  
>> User Action Verify that the default security descriptor on the class 
>> is valid. If it is not valid, change it to a correct value.  
>> Additional Data Error value:
>> 1337 The security ID structure is invalid.
>
> I verified that the defaultSecurityDescriptor displayed in the error 
> message is the same as the one included in the W2K8 schema we install. 
> I also broke the defaultSecurityDescriptor down and inspected the 
> components, and everything looks right.  I then tried changing the 
> defaultSecurityDescriptor to something extremely simple ("D:S:"), but 
> I still receive the exact same error (with the extremely long 
> defaultSecurityDescriptor value).
>
> This is where I am currently stuck.  I am posting the progress I have 
> made thus far in hopes that someone can either point me in the right 
> direction or build on what I have done to get this working.
>
> Sincerely,
> Andrew Kroeger
>




More information about the samba-technical mailing list