[Samba] Error determinigng PSOs in system [SEC=UNOFFICIAL]

Thamm, Russell Russell.Thamm at dst.defence.gov.au
Tue Jun 25 07:22:05 UTC 2019


Thanks Tim,

I was just wondering if my mistake was raising the functional-level. This confirms it.

This apparently also broke backup.

I cannot create the container, because the current schema (2003) doesn't support msDS-PasswordSettingsContainer. 

It seems impossible (and dangerous) to update the schema.  

I was given a reference to a thread about updating the schema but
- the thread didn't contain the actual ldf files
- the thread seemed to be an upgrade from 2003 R2 and I just have 2003.

Is it possible to lower the level again?

I can revert to the state that existed before demoting Julius. I'm thinking that this is the best course if I can't undo raising the level.


-----Original Message-----
From: Tim Beale [mailto:timbeale at catalyst.net.nz]
Sent: Tuesday, 25 June, 2019 9:13 a.m.
To: Andrew Bartlett; Thamm, Russell; sambalist
Subject: Re: [Samba] Error determinigng PSOs in system [SEC=UNOFFICIAL]

On 24/06/19 9:00 PM, Andrew Bartlett wrote:
> On Mon, 2019-06-24 at 07:12 +0000, Thamm, Russell via samba wrote:
>> The domain seems stable until I tried LDAP authentication which 
>> fails.
>> The samba log says:
>> Error 32 determining PSOs in system.
>> I can't seem to find anything on this error.
>> Any idea how I fix this?
> sorry about that.  The issue is that Samba expects a container for 
> PSOs, but that is a newer AD feature and your 2003 server never 
> created it.
> the container is:
> CN=Password Settings Container,CN=System,$DOMAIN_DN
> The code should cope with 32 (no such object) as very good proof there 
> are no PSOs.
> This isn't an issue upgrading pure Samba domains (everything since 
> before 4.0.0 has this) but windows of course is older.
> Options include fixing the code (please file a bug and hopefully Tim 
> can look at it) and creating the missing container.  The template 
> Samba uses is pretty simple:
> +dn: CN=Password Settings Container,CN=System,${DOMAINDN}
> +objectClass: top
> +objectClass: msDS-PasswordSettingsContainer
> +systemFlags: -1946157056
> +
> The final option is to use a Samba version from before PSOs were 
> implemented, which would be 4.8 I think, but that isn't a long-term 
> option.
I've raised a bug for this:
https://bugzilla.samba.org/show_bug.cgi?id=14008 and I'm just working on a fix.

Creating the Password Settings Container manually is probably the simplest workaround in the meantime.

Just a note to others: I think this problem only occurs if the domain DB was created based on a pre-2008 schema, and then you later manually raise the functional-level to 2008 or greater.

More information about the samba mailing list