status of DRS efforts in Samba4 (and a developer tutorial)

Matthias Dieter Wallnöfer mdw at
Wed Sep 23 06:19:31 MDT 2009

Andrew Kroeger schrieb:
> Matthias Dieter Wallnöfer wrote:
>> Andrew Kroeger,
>> your work is highly appreciated. I applied your patches in a slightly 
>> different version...
> Matthias:
> My contributions are mine, as are yours!
> I have looked at your Git repository and you must separate my 
> contributions from yours!!  If you do not, it looks like I have 
> submitted my changes as well as yours, all as part of my contribution.
> Please take my submitted patches and commit your additions as 
> additional patches on top of them.
To be honest I don't see this as a major issue if I adapted your patch a 
little bit. I didn't like the place where you inserted the objects since 
I prefer to keep an ordering in the LDIFs (worked hard over the summer 
to introduce this).
Well, the comments - okay - I cut put them in a standalone commit.

If you are *very* unhappy with my changed patch (I kept also your name - 
since the innovation is from you) - I can rework it (split it up). 
Anyway the next time I will comment if I don't like something in your 
patches and let you correct this before I take it

Matthias Dieter Wallnöfer
> Thank you!
> Andrew Kroeger
>  to my personal branch - since this week I agreed with
>> abartlet and tridge to not push directly to "master" (as you may 
>> know: they perform important tests in the MS labs and prefer a stable 
>> release).
>> But afterwards I hope to merge it soon.
>> As I already told you in a recent email: if you have some interest to 
>> continue to work on the password policies in s4 please tell me. 
>> Otherwise I'll try to do it sooner or later.
>> Greets,
>> Matthias
>> Andrew Kroeger schrieb:
>>> tridge at wrote:
>>>> ---------------------------------------------
>>>> - join w2k8 to samba4 dc
>>>> We've been concentrating up to now on Samba4<->Samba4 replication, and
>>>> Samba4<->Windows replication where the Samba4 server joins the Windows
>>>> domain. A more difficult problem is making it work when you start with
>>>> a Samba4 domain (from provision, or from vampiring a Windows domain)
>>>> and then try to add another Windows DC by using dcpromo. This is
>>>> currently failing with an obscure error at the end of the dcpromo
>>>> process.
>>> All:
>>> I did some work on this and made some progress, but I now find 
>>> myself stuck and cannot figure out what is happening.  My initial 
>>> attempt at running dcpromo under W2K8 server ended with the error 
>>> message:
>>>> To install a domain controller into this Active Directory forest, you
>>>> must first prepare the forest using "adprep /forestprep".  The
>>>> Adprep utility is available on the Windows 2008 Server installation
>>>> media in the \sources\adprep folder.
>>> I looked through the samba.log and was able to determine the LDAP 
>>> queries dcpromo was using to determine that adprep needed to run.  
>>> Based on a comparison of those LDAP queries against a S4 DC and a 
>>> W2K8 DC, I found two issues:
>>> 1.  The objectVersion attributes of ${SCHEMADN} were different. We 
>>> had it set to 30 (W2K3 schema version) while the W2K8 DC had 44 
>>> (W2K8 schema).  After changing our objectVersion to 44 (we are using 
>>> a W2K8 schema after all), the error still occurred.  Patch for this 
>>> change is attached.
>>> 2.  I found three LDAP entries that dcpromo queried for that were 
>>> present on the W2K8 DC, but not present on the S4 DC.  These values 
>>> are:
>>> - CN=ActiveDirectoryUpdate,CN=ForestUpdates,${CONFIGDN}
>>> - CN=ActiveDirectoryUpdate,CN=DomainUpdates,CN=System,${DOMAINDN}
>>> - CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,${CONFIGDN}
>>> After some additional research, I found that these entries are 
>>> created by the adprep utility (for the /forestprep, /domainprep and 
>>> /rodcprep options, respectively).  After adding these entries (and 
>>> the respective values for the revision attribute, as observed on a 
>>> W2K8 DC), I no longer receive the above adprep error message when 
>>> running dcpromo.  A patch with these changes is also attached.
>>> After making the above changes, I can now run dcpromo to the point 
>>> is starts configuring itself as a DC (pulling data from S4 or 
>>> whatever steps it is actually doing under the hood).
>>> I now receive the following error before the actual dcpromo run can 
>>> finish:
>>>> The operation failed because:
>>>> An unknown error occurred while installing Active Directory
>>>> Domain Services.
>>>> "An error occurred while installing the directory service.  For more
>>>> information, see the event log."
>>> Looking in the event log gives the following detail for Event ID 1523:
>>>> The Active Directory Domain Services schema cache load could not 
>>>> convert the default security descriptor on the following schema 
>>>> class object.  Security descriptor:
>>>> D:(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA) 
>>>> (OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW 
>>>> ;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6- 
>>>> 11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CI 
>>>> IO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RPRC;;;RU)(OA;C 
>>>> IIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(A;;LCRPLORC;;;ED)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf; 
>>>> 4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828CC14-1437-45bc-9B07-AD6F015E 
>>>> 5F28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;CIIO;RPLCLORC;;4828CC14-1437-45bc-9B07-AD6F015E5F28;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;; 
>>>> RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa 
>>>> 003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;113 
>>>> 1f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;ccc2dc7 
>>>> d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;CIIO;CRRPWP;91e647de-d96f 
>>>> -4b70-9557-d63ff4f3ccd8;;PS)S:(AU;SA;WDWOWP;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f8 
>>>> 0367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) Schema class object:
>>>> CN=Domain-DNS,CN=Schema,O=Boot  As a result, the schema cache load 
>>>> will fail.  User Action Verify that the default security descriptor 
>>>> on the class is valid. If it is not valid, change it to a correct 
>>>> value.  Additional Data Error value:
>>>> 1337 The security ID structure is invalid.
>>> I verified that the defaultSecurityDescriptor displayed in the error 
>>> message is the same as the one included in the W2K8 schema we 
>>> install. I also broke the defaultSecurityDescriptor down and 
>>> inspected the components, and everything looks right.  I then tried 
>>> changing the defaultSecurityDescriptor to something extremely simple 
>>> ("D:S:"), but I still receive the exact same error (with the 
>>> extremely long defaultSecurityDescriptor value).
>>> This is where I am currently stuck.  I am posting the progress I 
>>> have made thus far in hopes that someone can either point me in the 
>>> right direction or build on what I have done to get this working.
>>> Sincerely,
>>> Andrew Kroeger

More information about the samba-technical mailing list