[Samba] Is it possible to lower the domain and forest functional level

Christophe Borivant cborivant at devinlec.com
Tue Feb 20 14:10:08 UTC 2018


After some research, I found that there is a RFC for those attributes.
The class is DUAConfigProfile.
The RFC is defined here https://tools.ietf.org/html/rfc4876

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "samba" <samba at lists.samba.org>
À: "Andrew Bartlett" <abartlet at samba.org>
Cc: "samba" <samba at lists.samba.org>
Envoyé: Mardi 20 Février 2018 11:37:54
Objet: Re: [Samba] Is it possible to lower the domain and forest functional level

Hi Andrew,

Thanks to your input, I've been able to run the samba_upgradeprovision script.
But the full oprion fails with :

Creating a reference provision
WARNING: no network interfaces found
No IPv4 address will be assigned
WARNING: no network interfaces found
No IPv6 address will be assigned
Update base samdb by searching difference with reference one
Starting update of samdb
There are 125 missing objects
Reloading a merged schema, which might trigger reindexing so please be patient
Unable to convert 1.3.6.1.4.1.11.1.3.1.1.5 to an attid, and can_change_pfm=false!
../source4/dsdb/schema/schema_init.c:669: 'followReferrals': unable to map attributeID 1.3.6.1.4.1.11.1.3.1.1.5: WERR_NOT_FOUND
Exception during upgrade of samdb:
Traceback (most recent call last):
  File "./source4/scripting/bin/samba_upgradeprovision", line 1150, in update_partition
    reload_full_schema(samdb, names)
  File "./source4/scripting/bin/samba_upgradeprovision", line 1073, in reload_full_schema
    dsdb._dsdb_set_schema_from_ldif(samdb, prefixmap_ldif, schema_ldif, schemadn)
WERRORError: (1168, 'WERR_NOT_FOUND')
Update failed
Rolling back all changes. Check the cause of the problem
Your system is as it was before the upgrade

This attribute comes from an extension for HP-UX (ldapux) which allows me to identify my HPUX users.
I also have other attributes coming from the deprecated MSFU3.5 but We don't use those attributes anymore.

Do you think the samba_upgradeprovision without --full option would be enough ? I don't really uderstand the difference between with and without this option.

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "Andrew Bartlett" <abartlet at samba.org>
À: "Christophe BORIVANT" <cborivant at devinlec.com>
Cc: "samba" <samba at lists.samba.org>
Envoyé: Lundi 19 Février 2018 19:52:09
Objet: Re: [Samba] Is it possible to lower the domain and forest functional level

On Mon, 2018-02-19 at 19:07 +0100, Christophe Borivant wrote:
> I made a try translating the group names one by one in the setup/provision_users.ldif file.
> The first groups went OK but when I translate "Incoming Forest Trust Builders" by "Générateurs d'approbations de forêt entrante",
> I get this error from the script :
> Traceback (most recent call last):
>   File "source4/scripting/bin/samba_upgradeprovision", line 1714, in <module>
>     schema, schemareloadclosure):
>   File "source4/scripting/bin/samba_upgradeprovision", line 1360, in update_samdb
>     schema, provisionUSNs, prereloadfunc)
>   File "source4/scripting/bin/samba_upgradeprovision", line 1145, in update_partition
>     add_missing_entries(ref_samdb, samdb, names, basedn, listMissing)
>   File "source4/scripting/bin/samba_upgradeprovision", line 757, in add_missing_entries
>     hashMissing, index)
>   File "source4/scripting/bin/samba_upgradeprovision", line 616, in add_missing_object
>     controls=["search_options:1:2"])
> _ldb.LdbError: (1, 'Unable to parse search expression')
> 
> Could the "ê" be a problem or the length of the string ?

The issue is that this script was never tested with non-ascii names. 
Each instance of 

"(distinguishedName=%s) % user_dn

 in the script needs to be updated to be:

"(distinguishedName=%s)" % ldb.binary_encode(user_dn)

Sorry,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list