[Samba] Error determinigng PSOs in system [SEC=UNOFFICIAL]

Tim Beale timbeale at catalyst.net.nz
Mon Jun 24 23:43:15 UTC 2019

On 24/06/19 9:00 PM, Andrew Bartlett wrote:
> On Mon, 2019-06-24 at 07:12 +0000, Thamm, Russell via samba wrote:
>> The domain seems stable until I tried LDAP authentication which
>> fails.
>> The samba log says:
>> Error 32 determining PSOs in system.
>> I can't seem to find anything on this error.
>> Any idea how I fix this?
> sorry about that.  The issue is that Samba expects a container for
> PSOs, but that is a newer AD feature and your 2003 server never created
> it.
> the container is:
> CN=Password Settings Container,CN=System,$DOMAIN_DN
> The code should cope with 32 (no such object) as very good proof there
> are no PSOs. 
> This isn't an issue upgrading pure Samba domains (everything since
> before 4.0.0 has this) but windows of course is older.
> Options include fixing the code (please file a bug and hopefully Tim
> can look at it) and creating the missing container.  The template Samba
> uses is pretty simple:
> +dn: CN=Password Settings Container,CN=System,${DOMAINDN}
> +objectClass: top
> +objectClass: msDS-PasswordSettingsContainer
> +systemFlags: -1946157056
> +
> The final option is to use a Samba version from before PSOs were
> implemented, which would be 4.8 I think, but that isn't a long-term
> option.
I've raised a bug for this:
https://bugzilla.samba.org/show_bug.cgi?id=14008 and I'm just working on
a fix.

Creating the Password Settings Container manually is probably the
simplest workaround in the meantime.

Just a note to others: I think this problem only occurs if the domain DB
was created based on a pre-2008 schema, and then you later manually
raise the functional-level to 2008 or greater.

More information about the samba mailing list