[Samba] Domain Functional Level & Schema Replication

Rowland Penny rowlandpenny at googlemail.com
Sat Jul 19 02:24:55 MDT 2014 

On 19/07/14 02:53, Stuart Naylor wrote:
> Apols guys about the Thread question. I saw a discussion between Roland and Steve and was just trying to get more info.
>
> So apols about hijacking an old thread as it was a bad attempt to nudge a conversion.
>
> Firstly could anybody explain why the last line out of samba-tool domain level show.
>
> Is this just a bad message or what is triggering "Lowest function level of a DC: (Windows) 2008 R2"
>
> One of the most important things for me about Samba4 is extensibility and rfc2307 with AD and this crazy miss mash of M$ & Unix is a very rare route that allows all clients.
>
> So I would really appreciate it if somebody could spell out any gotcha's with domain functionality & schema replication.
>
> This is where I start to get confused as its with subsequent ADC's and also just the terminology that is used sometimes.
>
> So some scenario's...
>
>
> 1...   PDC Windows 2003 with Samba4 ADC with a functional domain level of 2003.
>
> The Samba4 ADC runs Unix services which require LDAP access with rfc2307 attributes.
>
> 2003 didn't get rfc2307 until 2003r2 so this is a bit of a no go as the samba4 box will of replicated the schema from the Windows 2003 box.
>
> So I guess you could add  Windows Services for UNIX Version 3.5 (http://www.microsoft.com/en-gb/download/details.aspx?id=274) to the 2003 box.
> This will replicate a limited subset of rfc2307 to my samba4 box (anyone know the gotcha's between this and the 2008r2 rfc2307 schema) ?

This wouldn't help, you need to add 'server for NIS'

> Then my next question is can we not add the schema requirements for 2008r2 rfc2307 to my samba4 box and just let this replicate to the 2003 box?

It is already there and as such should replicate to the 2008r2 box.

>
> Probably a stupid question but anyone providing solutions with Samba4 that might use linux services requiring rfc2307 has a nightmare is joining existing domains.
> 2003, 2008 could be really problematic and this makes the extensibility of Samba4 much less.

 From memory, there haven't been that many windows domain joining 
problems reported and when they have been reported, they have mostly 
been fixed.

> Also I have to ask when it comes to domain provisions but what happened to 2003r2?

Good question, perhaps 2003 should be read as 2003r2.

Rowland

> I presume a lot of this is due to Redmond Herrings but can anyone see why I am slightly confused?
>
> Stuart
>   
>   
> -----Original message-----
>> From:steve <steve at steve-ss.com>
>> Sent: Friday 18th July 2014 11:13
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
>>
>> On Fri, 2014-07-18 at 01:38 +0100, Stuart Naylor wrote:
>>> Oh I think I must of misread what you and steve where discussing.
>>>
>>> What is confusing me is the output of samba-tool domain level show
>>>
>>> Forest function level: (Windows) 2003
>>> Domain function level: (Windows) 2003
>>> Lowest function level of a DC: (Windows) 2008 R2
>>>
>>> I thought it might of been because rfc2307 schema included was of 2008r2 ilk.
>>>
>>> Why does it always say the lowest function level is (Windows) 2008 R2
>>>
>>> I just tried samba-tool domain provision --domain=SAMBA4  --adminpass=Mysamba4 --dns-backend=SAMBA_INTERNAL --server-role=dc --function-level=2003 --use-xattr=yes --realm=SAMBA4.LAN
>>>
>>> The output is the same as above.
>>>
>>> Always Lowest function level of a DC: (Windows) 2008 R2
>>>
>>> Stuart
>> Hi Stuart
>> The answer to your thread question is, 'no'.
>> This is because the schema which is supplied for use with samba4 is the
>> same schema that the smaba team battled with microsoft to release back a
>> few years back. It was the 2008R2 schema which has full support for
>> rfc2307. The domain level have always puzzled me too, but we've alsways
>> been satisfied with. The rfc2307 provision simply adds the schema
>> extension for sfu which was mysteriously missing. All this does is to
>> activate the unix tab on ADUC. On Linux with samba-tool and ldbmodify,
>> you don't need it. But as it seems to do no harm, you may as well have
>> it anyway. I don't know how it slipped through in the first place
>> although I guess that m$ may have had something to do with it.
>> Cheers,
>> Steve
>>
>>
>>
>>

More information about the samba mailing list