[Samba] Error determinigng PSOs in system [SEC=UNOFFICIAL]

Andrew Bartlett abartlet at samba.org
Mon Jun 24 09:00:01 UTC 2019

On Mon, 2019-06-24 at 07:12 +0000, Thamm, Russell via samba wrote:
> Hi
> Today I demoted the temporary DC (Julius) on my network.
> The demotion failed.
> Failed to confirm we are not an RODC ... cannot find attribute msDS-
> isRODC
> So I shutdown Julius and forced the demotion.
> The domain seems stable until I tried LDAP authentication which
> fails.
> The samba log says:
> Error 32 determining PSOs in system.
> I can't seem to find anything on this error.
> Any idea how I fix this?
> I cloned the disks on both DCs before demotion, so I can just go
> back. Should I?

sorry about that.  The issue is that Samba expects a container for
PSOs, but that is a newer AD feature and your 2003 server never created

the container is:
CN=Password Settings Container,CN=System,$DOMAIN_DN

The code should cope with 32 (no such object) as very good proof there
are no PSOs. 

This isn't an issue upgrading pure Samba domains (everything since
before 4.0.0 has this) but windows of course is older.

Options include fixing the code (please file a bug and hopefully Tim
can look at it) and creating the missing container.  The template Samba
uses is pretty simple:

+dn: CN=Password Settings Container,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: msDS-PasswordSettingsContainer
+systemFlags: -1946157056

The final option is to use a Samba version from before PSOs were
implemented, which would be 4.8 I think, but that isn't a long-term

I hope this helps!

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list