[Samba] Is it possible to lower the domain and forest functional level

Christophe Borivant cborivant at devinlec.com
Mon Feb 19 18:07:12 UTC 2018 

I made a try translating the group names one by one in the setup/provision_users.ldif file.
The first groups went OK but when I translate "Incoming Forest Trust Builders" by "Générateurs d'approbations de forêt entrante",
I get this error from the script :
Traceback (most recent call last):
  File "source4/scripting/bin/samba_upgradeprovision", line 1714, in <module>
    schema, schemareloadclosure):
  File "source4/scripting/bin/samba_upgradeprovision", line 1360, in update_samdb
    schema, provisionUSNs, prereloadfunc)
  File "source4/scripting/bin/samba_upgradeprovision", line 1145, in update_partition
    add_missing_entries(ref_samdb, samdb, names, basedn, listMissing)
  File "source4/scripting/bin/samba_upgradeprovision", line 757, in add_missing_entries
    hashMissing, index)
  File "source4/scripting/bin/samba_upgradeprovision", line 616, in add_missing_object
    controls=["search_options:1:2"])
_ldb.LdbError: (1, 'Unable to parse search expression')

Could the "ê" be a problem or the length of the string ?

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "Andrew Bartlett" <abartlet at samba.org>
À: "Christophe BORIVANT" <cborivant at devinlec.com>
Cc: "samba" <samba at lists.samba.org>
Envoyé: Vendredi 16 Février 2018 18:49:08
Objet: Re: [Samba] Is it possible to lower the domain and forest functional level

On Fri, 2018-02-16 at 12:43 +0100, Christophe Borivant wrote:
> Hi Andrew,
> 
> Thanks for your answer. I gave a try with  source4/scripting/bin/samba_upgradeprovision  --full.
> Of course I did it on a virtual machine clone of our dc without network interface.
> 
> The script fails with :
> ../lib/ldb/ldb_tdb/ldb_index.c:1252: unique index violation on objectSid in CN=Account Operators,CN=Builtin,DC=removed,DC=com, conficts with CN=Op?rateurs de compte,CN=Builtin,DC=removed,DC=com in @INDEX:OBJECTSID::AQIAAAAAAAUgAAAAJAIAAA==

Very interesting.  You can see why I don't normally suggest this tool.

> So it seems to be because the account name is french and not English.
> Do you know were I could find those strings to translate ?

You could either rename those system users back to English (for now) in
 the database, or to change the template see the files in setup/ in
your install tree. 

You would notice that skipping --full makes it less aggressive, but
perhaps not enough. 

Finally, you could use the new samba-tool domain schmeaupgrade in Samba
4.8 to try and upgrade the schema using the adprep ldif files (these
are on the web).

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list