[Samba] Error determinigng PSOs in system [SEC=UNOFFICIAL]

Andrew Bartlett abartlet at samba.org
Mon Jun 24 09:00:01 UTC 2019


On Mon, 2019-06-24 at 07:12 +0000, Thamm, Russell via samba wrote:
> UNOFFICIAL
> Hi
> 
> Today I demoted the temporary DC (Julius) on my network.
> 
> The demotion failed.
> 
> Failed to confirm we are not an RODC ... cannot find attribute msDS-
> isRODC
> 
> So I shutdown Julius and forced the demotion.
> 
> The domain seems stable until I tried LDAP authentication which
> fails.
> 
> The samba log says:
> 
> Error 32 determining PSOs in system.
> 
> I can't seem to find anything on this error.
> 
> Any idea how I fix this?
> 
> I cloned the disks on both DCs before demotion, so I can just go
> back. Should I?

sorry about that.  The issue is that Samba expects a container for
PSOs, but that is a newer AD feature and your 2003 server never created
it.

the container is:
CN=Password Settings Container,CN=System,$DOMAIN_DN

The code should cope with 32 (no such object) as very good proof there
are no PSOs. 

This isn't an issue upgrading pure Samba domains (everything since
before 4.0.0 has this) but windows of course is older.

Options include fixing the code (please file a bug and hopefully Tim
can look at it) and creating the missing container.  The template Samba
uses is pretty simple:

+dn: CN=Password Settings Container,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: msDS-PasswordSettingsContainer
+systemFlags: -1946157056
+

The final option is to use a Samba version from before PSOs were
implemented, which would be 4.8 I think, but that isn't a long-term
option.

I hope this helps!

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba






More information about the samba mailing list