[Samba] New Windows 8 RSAT and "OU=Domain Controllers" support?
Michael Wood
esiotrot at gmail.com
Tue Apr 23 10:24:10 MDT 2013
On 23 April 2013 16:43, Pekka L.J. Jalkanen <pekka.jalkanen at vihreat.fi> wrote:
> Nothing. It just works. I can even explicitly change it to point to the
> Samba 4 DC and it still works.
>
> It is just Vista and newer RSATs that are the problem. And they also
> work just fine as long as the selected DC is the W2k3R2 DC...
Perhaps you could get a packet capture of the newer RSAT against the
Windows DC and another one against the Samba DC and attach them to a
bug report.
> Pekka L.J. Jalkanen
>
>
> On 23.4.2013 16:39, Hisham Attar wrote:
>> What does it say when you browse domain controllers OU for that DC using
>> the Ad users and computers snapin on the win2k3 dc?
>>
>>
>> On Tue, Apr 23, 2013 at 11:25 PM, Pekka L.J. Jalkanen
>> <pekka.jalkanen at vihreat.fi <mailto:pekka.jalkanen at vihreat.fi>> wrote:
>>
>> Raising the functional level above 2003 doesn't sound like a good plan
>> as long as we still have to keep the Windows 2003 DC around. I don't
>> know about Samba, but RSAT wouldn't even let me do that.
>>
>> Also note that it is the Windows DC (CN=W2K3R2DC) that doesn't have this
>> attribute.
>>
>> I figured out that I should be able to download MS's adprep tools by
>> subscribing to Windows 2008 R2 trial. If nobody has better ideas I'll
>> just do that, and then try to run the various adprep commands. If Samba
>> truly functions like the 2008 R2, then these tools actually should've
>> been run anyway before adding Samba DCs to 2003 domains (see that
>> Technet article again).
>>
>> I really hope that the version of Windows Samba mimics would be better
>> documented, though... obviously none of this is a problem in a pure
>> Samba 4 environment, but many organisations migrating from Windows to
>> Samba are definitely not going to do so overnight, so the different DCs
>> must co-exist for quite some time. Also, people are most likely going to
>> run various different RSAT versions, so the compatibility of those is an
>> important factor, too.
>>
>>
>> Pekka L.J. Jalkanen
>>
>>
>> On 23.4.2013 0:29, Hisham Attar wrote:
>> > That attribute is a 2008+ schema attribute, as far as I was aware when
>> > you provision with Samba your DC functionality is at 2008 R2 but
>> > forest/domain is at 2003 and can be raised to 2008 R2 try samba-tool
>> > domain level raise --domain 2008_R2 --forest 2008_R2 maybe that
>> will add
>> > the attribute to the schema.
>> >
>> >
>> > On Tue, Apr 23, 2013 at 4:43 AM, Pekka L.J. Jalkanen
>> > <pekka.jalkanen at vihreat.fi <mailto:pekka.jalkanen at vihreat.fi>
>> <mailto:pekka.jalkanen at vihreat.fi
>> <mailto:pekka.jalkanen at vihreat.fi>>> wrote:
>> >
>> > Hello,
>> >
>> > We have two DCs. One runs Windows 2003 R2, and the other Samba
>> 4.0.5.
>> > Forest functional level is Windows 2000 native.
>> >
>> > I recently demoted (worked flawlessy now, which was a great
>> relief),
>> > rebuilt and re-promoted my Samba 4 DC, as my problems that I
>> posted to
>> > this list about two monts were still unresolved (see
>> >
>> https://lists.samba.org/archive/samba/2013-February/171898.html), and I
>> > thoght that I might as well give it a shot.
>> >
>> > And yes, it all seems to work now. (I even got the rfc2307 uid/gid
>> > support working, finally! Doesn't matter a lot on a DC-only
>> box, but
>> > still.)
>> >
>> > Everything, this far, except one thing: if
>> > 1. RSAT, specifically one shipped with Windows Vista or newer
>> (older
>> > tools do not seem to be affected) is used to manage the domain,
>> > 2. Samba 4 DC is the domain controller that RSAT's AD User and
>> Computers
>> > console connects to, and
>> > 3. one clicks the "Domain Controllers" OU in the tree
>> >
>> > then the following error message will result:
>> >
>> > "Data from Domain Controllers is not available from Domain
>> Controller
>> > SAMBA4DC.mydomain.site because: An operations error occurred.
>> Try again
>> > later, or choose another DC by selecting Connect to Domain
>> Controller on
>> > the Domain context menu."
>> >
>> > At the same time the following is written to log.samba:
>> >
>> > "[2013/04/17 18:03:24, 0]
>> > ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug)
>> > ldb: acl_read: CN=W2K3R2DC,OU=Domain
>> Controllers,DC=mydomain,DC=site
>> > cannot find attr[msDS-isRODC] in of schema
>> >
>> > If the RSAT's AD Users & Computers console is deliberately
>> changed to
>> > use our Windows DC, the problem disappears. The console reports DC
>> > version for the domain controllers as W2K3 for the Windows DC
>> and as W2K
>> > for the Samba DC.
>> >
>> > Is this error expected? I find the error message in log.samba
>> a bit
>> > peculiar, because it talks about msDS-isRODC attribute. But
>> the way I
>> > see it there shouldn't even be anything RODC-related in the
>> schema, as a
>> > prerequisite for any RODCs is Windows 2003 forest functional
>> level, and
>> > even then the schema should be extended first (see
>> >
>> http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx
>> > for Microsoft's documentation).
>> >
>> > Because Samba doesn't really seem to support Windows 2000
>> functional
>> > level properly anymore (samba-tool domain level just showed the
>> > following error: "ERROR: Could not retrieve the actual domain,
>> forest
>> > level and/or lowest DC function level!"), and we no longer had
>> real
>> > reasons to stick to that, I tried to promote the forest.
>> >
>> > Now that failed too, and I had to demote Samba (so that
>> Windows doesn't
>> > think it is just a W2k box), raise forest level on Windows,
>> and then
>> > purge Samba's config and re-join it. (Simply running
>> "samba-tool domain
>> > dcpromo" doesn't work either--it just gives an error "Account
>> SAMBA4DC$
>> > appears to be an active DC, use 'samba-tool domain join' if
>> you must
>> > re-create this account".)
>> >
>> > But: now the forest functional level *is* Windows 2003, RSAT
>> AD User &
>> > Computers reports the Samba DC as W2k8 R2, and all this still
>> didn't
>> > affect the actual RSAT / ldb: acl_read error at all. The issue
>> is still
>> > reproducible!
>> >
>> > I don't know if running the MS adprep tool on the Windows DC
>> would help
>> > (see the Technet article linked above), but that tool is
>> anyway only
>> > shipped with Windows 2008, and I don't have that.
>> >
>> > Should I file a bug? Or is this error expected? Any experiences by
>> > people who regularly run newer RSATs? What about those that
>> also have
>> > Windows DCs, like me?
>> >
>> > Thanks,
>> >
>> > Pekka L.J. Jalkanen
>> >
>> >
>> > PS. The Win 8 RSAT that I've been trying to use is actually hugely
>> > problematic, because there is no way to install the Server for
>> NIS tools
>> > that are required for RFC2307 management, even though MS does
>> claim
>> > (http://support.microsoft.com/kb/2693643) that those tools are
>> still
>> > supported. I can't recommend it to anyone.
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>> >
>> >
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
Michael Wood <esiotrot at gmail.com>
More information about the samba
mailing list