[Samba] New Windows 8 RSAT and "OU=Domain Controllers" support?

Hisham Attar hashi825 at gmail.com
Mon Apr 22 15:29:10 MDT 2013 

That attribute is a 2008+ schema attribute, as far as I was aware when you
provision with Samba your DC functionality is at 2008 R2 but forest/domain
is at 2003 and can be raised to 2008 R2 try samba-tool domain level raise
--domain 2008_R2 --forest 2008_R2 maybe that will add the attribute to the
schema.


On Tue, Apr 23, 2013 at 4:43 AM, Pekka L.J. Jalkanen <
pekka.jalkanen at vihreat.fi> wrote:

> Hello,
>
> We have two DCs. One runs Windows 2003 R2, and the other Samba 4.0.5.
> Forest functional level is Windows 2000 native.
>
> I recently demoted (worked flawlessy now, which was a great relief),
> rebuilt and re-promoted my Samba 4 DC, as my problems that I posted to
> this list about two monts were still unresolved (see
> https://lists.samba.org/archive/samba/2013-February/171898.html), and I
> thoght that I might as well give it a shot.
>
> And yes, it all seems to work now. (I even got the rfc2307 uid/gid
> support working, finally! Doesn't matter a lot on a DC-only box, but
> still.)
>
> Everything, this far, except one thing: if
> 1. RSAT, specifically one shipped with Windows Vista or newer (older
> tools do not seem to be affected) is used to manage the domain,
> 2. Samba 4 DC is the domain controller that RSAT's AD User and Computers
> console connects to, and
> 3. one clicks the "Domain Controllers" OU in the tree
>
> then the following error message will result:
>
> "Data from Domain Controllers is not available from Domain Controller
> SAMBA4DC.mydomain.site because: An operations error occurred. Try again
> later, or choose another DC by selecting Connect to Domain Controller on
> the Domain context menu."
>
> At the same time the following is written to log.samba:
>
> "[2013/04/17 18:03:24,  0] ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug)
>   ldb: acl_read: CN=W2K3R2DC,OU=Domain Controllers,DC=mydomain,DC=site
> cannot find attr[msDS-isRODC] in of schema
>
> If the RSAT's AD Users & Computers console is deliberately changed to
> use our Windows DC, the problem disappears. The console reports DC
> version for the domain controllers as W2K3 for the Windows DC and as W2K
> for the Samba DC.
>
> Is this error expected? I find the error message in log.samba a bit
> peculiar, because it talks about msDS-isRODC attribute. But the way I
> see it there shouldn't even be anything RODC-related in the schema, as a
> prerequisite for any RODCs is Windows 2003 forest functional level, and
> even then the schema should be extended first (see
> http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx
> for Microsoft's documentation).
>
> Because Samba doesn't really seem to support Windows 2000 functional
> level properly anymore (samba-tool domain level just showed the
> following error: "ERROR: Could not retrieve the actual domain, forest
> level and/or lowest DC function level!"), and we no longer had real
> reasons to stick to that, I tried to promote the forest.
>
> Now that failed too, and I had to demote Samba (so that Windows doesn't
> think it is just a W2k box), raise forest level on Windows, and then
> purge Samba's config and re-join it. (Simply running "samba-tool domain
> dcpromo" doesn't work either--it just gives an error "Account SAMBA4DC$
> appears to be an active DC, use 'samba-tool domain join' if you must
> re-create this account".)
>
> But: now the forest functional level *is* Windows 2003, RSAT AD User &
> Computers reports the Samba DC as W2k8 R2, and all this still didn't
> affect the actual RSAT / ldb: acl_read error at all. The issue is still
> reproducible!
>
> I don't know if running the MS adprep tool on the Windows DC would help
> (see the Technet article linked above), but that tool is anyway only
> shipped with Windows 2008, and I don't have that.
>
> Should I file a bug? Or is this error expected? Any experiences by
> people who regularly run newer RSATs? What about those that also have
> Windows DCs, like me?
>
> Thanks,
>
> Pekka L.J. Jalkanen
>
>
> PS. The Win 8 RSAT that I've been trying to use is actually hugely
> problematic, because there is no way to install the Server for NIS tools
> that are required for RFC2307 management, even though MS does claim
> (http://support.microsoft.com/kb/2693643) that those tools are still
> supported. I can't recommend it to anyone.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list