[Samba] New Windows 8 RSAT and "OU=Domain Controllers" support?

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Wed Apr 24 08:18:10 MDT 2013


On 23.4.2013 19:24, Michael Wood wrote:
> On 23 April 2013 16:43, Pekka L.J. Jalkanen <pekka.jalkanen at vihreat.fi> wrote:
>> Nothing. It just works. I can even explicitly change it to point to the
>> Samba 4 DC and it still works.
>>
>> It is just Vista and newer RSATs that are the problem. And they also
>> work just fine as long as the selected DC is the W2k3R2 DC...
> 
> Perhaps you could get a packet capture of the newer RSAT against the
> Windows DC and another one against the Samba DC and attach them to a
> bug report.

I've now filed a ticket:
https://bugzilla.samba.org/show_bug.cgi?id=9828. Hopefully this helps!

There is only one continuous capture, as the RSAT ADUC snap-in always
seems to connect to the Windows DC first anyway (I assume that this is
due to the operations master roles, because all the krb5 tickets are
actually issued by the Samba DC), so if I'd try to purge krb5 tickets
in-between the tests and re-connect before switching DCs to take another
capture, it'd connect to the Windows DC anyway. But there are only three
different IPs in the capture anyway (My RSAT box and the two DCs), and
I've only captured ports 88 and 389, so it shouldn't be too hard to
follow what's happening.

While I do think that this is a bug I also think that I'm going to test
the adprep tool anyway, as it shouldn't really damage anything... MS
says that if I were to install Windows 2008 R2 DCs, I should run it
anyway, so it really shouldn't hurt.


Pekka L.J. Jalkanen


>> On 23.4.2013 16:39, Hisham Attar wrote:
>>> What does it say when you browse domain controllers OU for that DC using
>>> the Ad users and computers snapin on the win2k3 dc?
>>>
>>>
>>> On Tue, Apr 23, 2013 at 11:25 PM, Pekka L.J. Jalkanen
>>> <pekka.jalkanen at vihreat.fi <mailto:pekka.jalkanen at vihreat.fi>> wrote:
>>>
>>>     Raising the functional level above 2003 doesn't sound like a good plan
>>>     as long as we still have to keep the Windows 2003 DC around. I don't
>>>     know about Samba, but RSAT wouldn't even let me do that.
>>>
>>>     Also note that it is the Windows DC (CN=W2K3R2DC) that doesn't have this
>>>     attribute.
>>>
>>>     I figured out that I should be able to download MS's adprep tools by
>>>     subscribing to Windows 2008 R2 trial. If nobody has better ideas I'll
>>>     just do that, and then try to run the various adprep commands. If Samba
>>>     truly functions like the 2008 R2, then these tools actually should've
>>>     been run anyway before adding Samba DCs to 2003 domains (see that
>>>     Technet article again).
>>>
>>>     I really hope that the version of Windows Samba mimics would be better
>>>     documented, though... obviously none of this is a problem in a pure
>>>     Samba 4 environment, but many organisations migrating from Windows to
>>>     Samba are definitely not going to do so overnight, so the different DCs
>>>     must co-exist for quite some time. Also, people are most likely going to
>>>     run various different RSAT versions, so the compatibility of those is an
>>>     important factor, too.
>>>
>>>
>>>     Pekka L.J. Jalkanen
>>>
>>>
>>>     On 23.4.2013 0:29, Hisham Attar wrote:
>>>     > That attribute is a 2008+ schema attribute, as far as I was aware when
>>>     > you provision with Samba your DC functionality is at 2008 R2 but
>>>     > forest/domain is at 2003 and can be raised to 2008 R2 try samba-tool
>>>     > domain level raise --domain 2008_R2 --forest 2008_R2 maybe that
>>>     will add
>>>     > the attribute to the schema.
>>>     >
>>>     >
>>>     > On Tue, Apr 23, 2013 at 4:43 AM, Pekka L.J. Jalkanen
>>>     > <pekka.jalkanen at vihreat.fi <mailto:pekka.jalkanen at vihreat.fi>
>>>     <mailto:pekka.jalkanen at vihreat.fi
>>>     <mailto:pekka.jalkanen at vihreat.fi>>> wrote:
>>>     >
>>>     >     Hello,
>>>     >
>>>     >     We have two DCs. One runs Windows 2003 R2, and the other Samba
>>>     4.0.5.
>>>     >     Forest functional level is Windows 2000 native.
>>>     >
>>>     >     I recently demoted (worked flawlessy now, which was a great
>>>     relief),
>>>     >     rebuilt and re-promoted my Samba 4 DC, as my problems that I
>>>     posted to
>>>     >     this list about two monts were still unresolved (see
>>>     >
>>>     https://lists.samba.org/archive/samba/2013-February/171898.html), and I
>>>     >     thoght that I might as well give it a shot.
>>>     >
>>>     >     And yes, it all seems to work now. (I even got the rfc2307 uid/gid
>>>     >     support working, finally! Doesn't matter a lot on a DC-only
>>>     box, but
>>>     >     still.)
>>>     >
>>>     >     Everything, this far, except one thing: if
>>>     >     1. RSAT, specifically one shipped with Windows Vista or newer
>>>     (older
>>>     >     tools do not seem to be affected) is used to manage the domain,
>>>     >     2. Samba 4 DC is the domain controller that RSAT's AD User and
>>>     Computers
>>>     >     console connects to, and
>>>     >     3. one clicks the "Domain Controllers" OU in the tree
>>>     >
>>>     >     then the following error message will result:
>>>     >
>>>     >     "Data from Domain Controllers is not available from Domain
>>>     Controller
>>>     >     SAMBA4DC.mydomain.site because: An operations error occurred.
>>>     Try again
>>>     >     later, or choose another DC by selecting Connect to Domain
>>>     Controller on
>>>     >     the Domain context menu."
>>>     >
>>>     >     At the same time the following is written to log.samba:
>>>     >
>>>     >     "[2013/04/17 18:03:24,  0]
>>>     >     ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug)
>>>     >       ldb: acl_read: CN=W2K3R2DC,OU=Domain
>>>     Controllers,DC=mydomain,DC=site
>>>     >     cannot find attr[msDS-isRODC] in of schema
>>>     >
>>>     >     If the RSAT's AD Users & Computers console is deliberately
>>>     changed to
>>>     >     use our Windows DC, the problem disappears. The console reports DC
>>>     >     version for the domain controllers as W2K3 for the Windows DC
>>>     and as W2K
>>>     >     for the Samba DC.
>>>     >
>>>     >     Is this error expected? I find the error message in log.samba
>>>     a bit
>>>     >     peculiar, because it talks about msDS-isRODC attribute. But
>>>     the way I
>>>     >     see it there shouldn't even be anything RODC-related in the
>>>     schema, as a
>>>     >     prerequisite for any RODCs is Windows 2003 forest functional
>>>     level, and
>>>     >     even then the schema should be extended first (see
>>>     >
>>>     http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx
>>>     >     for Microsoft's documentation).
>>>     >
>>>     >     Because Samba doesn't really seem to support Windows 2000
>>>     functional
>>>     >     level properly anymore (samba-tool domain level just showed the
>>>     >     following error: "ERROR: Could not retrieve the actual domain,
>>>     forest
>>>     >     level and/or lowest DC function level!"), and we no longer had
>>>     real
>>>     >     reasons to stick to that, I tried to promote the forest.
>>>     >
>>>     >     Now that failed too, and I had to demote Samba (so that
>>>     Windows doesn't
>>>     >     think it is just a W2k box), raise forest level on Windows,
>>>     and then
>>>     >     purge Samba's config and re-join it. (Simply running
>>>     "samba-tool domain
>>>     >     dcpromo" doesn't work either--it just gives an error "Account
>>>     SAMBA4DC$
>>>     >     appears to be an active DC, use 'samba-tool domain join' if
>>>     you must
>>>     >     re-create this account".)
>>>     >
>>>     >     But: now the forest functional level *is* Windows 2003, RSAT
>>>     AD User &
>>>     >     Computers reports the Samba DC as W2k8 R2, and all this still
>>>     didn't
>>>     >     affect the actual RSAT / ldb: acl_read error at all. The issue
>>>     is still
>>>     >     reproducible!
>>>     >
>>>     >     I don't know if running the MS adprep tool on the Windows DC
>>>     would help
>>>     >     (see the Technet article linked above), but that tool is
>>>     anyway only
>>>     >     shipped with Windows 2008, and I don't have that.
>>>     >
>>>     >     Should I file a bug? Or is this error expected? Any experiences by
>>>     >     people who regularly run newer RSATs? What about those that
>>>     also have
>>>     >     Windows DCs, like me?
>>>     >
>>>     >     Thanks,
>>>     >
>>>     >     Pekka L.J. Jalkanen
>>>     >
>>>     >
>>>     >     PS. The Win 8 RSAT that I've been trying to use is actually hugely
>>>     >     problematic, because there is no way to install the Server for
>>>     NIS tools
>>>     >     that are required for RFC2307 management, even though MS does
>>>     claim
>>>     >     (http://support.microsoft.com/kb/2693643) that those tools are
>>>     still
>>>     >     supported. I can't recommend it to anyone.
>>>     >     --
>>>     >     To unsubscribe from this list go to the following URL and read the
>>>     >     instructions:  https://lists.samba.org/mailman/options/samba
>>>     >
>>>     >
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 




More information about the samba mailing list