status of DRS efforts in Samba4 (and a developer tutorial)

Andrew Kroeger andrew at id10ts.net
Wed Sep 23 02:48:42 MDT 2009 

Matthias Dieter Wallnöfer wrote:
> Andrew Kroeger,
> 
> your work is highly appreciated. I applied your patches in a slightly 
> different version...

Matthias:

My contributions are mine, as are yours!

I have looked at your Git repository and you must separate my 
contributions from yours!!  If you do not, it looks like I have 
submitted my changes as well as yours, all as part of my contribution.

Please take my submitted patches and commit your additions as additional 
patches on top of them.

Thank you!
Andrew Kroeger

  to my personal branch - since this week I agreed with
> abartlet and tridge to not push directly to "master" (as you may know: 
> they perform important tests in the MS labs and prefer a stable release).
> 
> But afterwards I hope to merge it soon.
> 
> As I already told you in a recent email: if you have some interest to 
> continue to work on the password policies in s4 please tell me. 
> Otherwise I'll try to do it sooner or later.
> 
> Greets,
> Matthias
> 
> Andrew Kroeger schrieb:
>> tridge at samba.org wrote:
>>> ---------------------------------------------
>>> - join w2k8 to samba4 dc
>>>
>>> We've been concentrating up to now on Samba4<->Samba4 replication, and
>>> Samba4<->Windows replication where the Samba4 server joins the Windows
>>> domain. A more difficult problem is making it work when you start with
>>> a Samba4 domain (from provision, or from vampiring a Windows domain)
>>> and then try to add another Windows DC by using dcpromo. This is
>>> currently failing with an obscure error at the end of the dcpromo
>>> process.
>>
>> All:
>>
>> I did some work on this and made some progress, but I now find myself 
>> stuck and cannot figure out what is happening.  My initial attempt at 
>> running dcpromo under W2K8 server ended with the error message:
>>
>>> To install a domain controller into this Active Directory forest, you
>>> must first prepare the forest using "adprep /forestprep".  The
>>> Adprep utility is available on the Windows 2008 Server installation
>>> media in the \sources\adprep folder.
>>
>> I looked through the samba.log and was able to determine the LDAP 
>> queries dcpromo was using to determine that adprep needed to run.  
>> Based on a comparison of those LDAP queries against a S4 DC and a W2K8 
>> DC, I found two issues:
>>
>> 1.  The objectVersion attributes of ${SCHEMADN} were different. We had 
>> it set to 30 (W2K3 schema version) while the W2K8 DC had 44 (W2K8 
>> schema).  After changing our objectVersion to 44 (we are using a W2K8 
>> schema after all), the error still occurred.  Patch for this change is 
>> attached.
>>
>> 2.  I found three LDAP entries that dcpromo queried for that were 
>> present on the W2K8 DC, but not present on the S4 DC.  These values are:
>>
>> - CN=ActiveDirectoryUpdate,CN=ForestUpdates,${CONFIGDN}
>> - CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,${DOMAINDN}
>> - CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,${CONFIGDN}
>>
>> After some additional research, I found that these entries are created 
>> by the adprep utility (for the /forestprep, /domainprep and /rodcprep 
>> options, respectively).  After adding these entries (and the 
>> respective values for the revision attribute, as observed on a W2K8 
>> DC), I no longer receive the above adprep error message when running 
>> dcpromo.  A patch with these changes is also attached.
>>
>> After making the above changes, I can now run dcpromo to the point is 
>> starts configuring itself as a DC (pulling data from S4 or whatever 
>> steps it is actually doing under the hood).
>>
>> I now receive the following error before the actual dcpromo run can 
>> finish:
>>
>>> The operation failed because:
>>>
>>> An unknown error occurred while installing Active Directory
>>> Domain Services.
>>>
>>> "An error occurred while installing the directory service.  For more
>>> information, see the event log."
>>
>> Looking in the event log gives the following detail for Event ID 1523:
>>
>>> The Active Directory Domain Services schema cache load could not 
>>> convert the default security descriptor on the following schema class 
>>> object.  Security descriptor:
>>> D:(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA) 
>>>
>>> (OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW 
>>>
>>> ;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6- 
>>>
>>> 11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CI 
>>>
>>> IO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RPRC;;;RU)(OA;C 
>>>
>>> IIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(A;;LCRPLORC;;;ED)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf; 
>>>
>>> 4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E 
>>>
>>> 5F28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;; 
>>>
>>> RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa 
>>>
>>> 003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;113 
>>>
>>> 1f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;ccc2dc7 
>>>
>>> d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;CIIO;CRRPWP;91e647de-d96f 
>>>
>>> -4b70-9557-d63ff4f3ccd8;;PS)S:(AU;SA;WDWOWP;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f8 
>>>
>>> 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) Schema class object:
>>> CN=Domain-DNS,CN=Schema,O=Boot  As a result, the schema cache load 
>>> will fail.  User Action Verify that the default security descriptor 
>>> on the class is valid. If it is not valid, change it to a correct 
>>> value.  Additional Data Error value:
>>> 1337 The security ID structure is invalid.
>>
>> I verified that the defaultSecurityDescriptor displayed in the error 
>> message is the same as the one included in the W2K8 schema we install. 
>> I also broke the defaultSecurityDescriptor down and inspected the 
>> components, and everything looks right.  I then tried changing the 
>> defaultSecurityDescriptor to something extremely simple ("D:S:"), but 
>> I still receive the exact same error (with the extremely long 
>> defaultSecurityDescriptor value).
>>
>> This is where I am currently stuck.  I am posting the progress I have 
>> made thus far in hopes that someone can either point me in the right 
>> direction or build on what I have done to get this working.
>>
>> Sincerely,
>> Andrew Kroeger
>>
> 
> 
> 
>

More information about the samba-technical mailing list