[Samba] Error determinigng PSOs in system [SEC=UNOFFICIAL]
Tim Beale
timbeale at catalyst.net.nz
Mon Jun 24 23:43:15 UTC 2019
On 24/06/19 9:00 PM, Andrew Bartlett wrote:
> On Mon, 2019-06-24 at 07:12 +0000, Thamm, Russell via samba wrote:
>> The domain seems stable until I tried LDAP authentication which
>> fails.
>>
>> The samba log says:
>>
>> Error 32 determining PSOs in system.
>>
>> I can't seem to find anything on this error.
>>
>> Any idea how I fix this?
> sorry about that. The issue is that Samba expects a container for
> PSOs, but that is a newer AD feature and your 2003 server never created
> it.
>
> the container is:
> CN=Password Settings Container,CN=System,$DOMAIN_DN
>
> The code should cope with 32 (no such object) as very good proof there
> are no PSOs.
>
> This isn't an issue upgrading pure Samba domains (everything since
> before 4.0.0 has this) but windows of course is older.
>
> Options include fixing the code (please file a bug and hopefully Tim
> can look at it) and creating the missing container. The template Samba
> uses is pretty simple:
>
> +dn: CN=Password Settings Container,CN=System,${DOMAINDN}
> +objectClass: top
> +objectClass: msDS-PasswordSettingsContainer
> +systemFlags: -1946157056
> +
>
> The final option is to use a Samba version from before PSOs were
> implemented, which would be 4.8 I think, but that isn't a long-term
> option.
>
>
I've raised a bug for this:
https://bugzilla.samba.org/show_bug.cgi?id=14008 and I'm just working on
a fix.
Creating the Password Settings Container manually is probably the
simplest workaround in the meantime.
Just a note to others: I think this problem only occurs if the domain DB
was created based on a pre-2008 schema, and then you later manually
raise the functional-level to 2008 or greater.
More information about the samba
mailing list