[Samba] Error determinigng PSOs in system [SEC=UNOFFICIAL]

Tim Beale timbeale at catalyst.net.nz
Wed Jun 26 01:42:35 UTC 2019

Hi Russell,

Ah, right, of course you can't create the msDS-PasswordSettingsContainer
object on a 2003 schema.

The code doesn't actually care what type of object the Password Settings
Container is as long as it exists. So the simplest short-term kludge to
get back to a working AD would be to create the PSO container as an
object that does exist in your schema, e.g.

ldbadd -H /usr/local/samba/private/sam.ldb
dn: CN=Password Settings
objectClass: container

This is a major kludge to the DB and so please delete this object as
soon as you can, otherwise it will cause major support problems going

The better short/medium-term solution would be to roll your functional
level back. Unfortunately the 'samba-tool domain level' command doesn't
support going backwards. However, the functional-level is just an
integer in the database (msDS-Behavior-Version) that you can modify. The
functional-level value for 2003 is '2' - you can see the possible values

There are several objects that have this attribute. E.g.
ldbsearch -H st/ad_dc/private/sam.ldb  '(msDS-Behavior-Version=*)'
msDS-Behavior-Version --cross-ncs
# record 1
msDS-Behavior-Version: 3

# record 2
msDS-Behavior-Version: 4

# record 3
dn: CN=Partitions,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
msDS-Behavior-Version: 3

# record 4
dn: DC=addom,DC=samba,DC=example,DC=com
msDS-Behavior-Version: 3

The PSO code is checking the base-domain object (i.e. record 4). The
'samba-tool domain level raise --domain-level' command also updates the
domain crossRef object (record 1). --forest-level updates the
CN=Partitions object (record3). To edit these objects manually, you
could use something like the following (and just don't alter the objects
you don't want to modify).
ldbedit -H /usr/local/samba/private/sam.ldb  '(msDS-Behavior-Version=*)'
msDS-Behavior-Version --cross-ncs

Note that after changing the functional-level, you'll need to restart
samba for this to take effect on things like LDAP authentication.

Finally, longer-term you'd need to find a way to upgrade your schema
from 2003 to 2008R2. I don't think there's any support for this in Samba
currently. I'm not sure if anyone else on the list has had experience
doing this.


On 25/06/19 7:22 PM, Thamm, Russell wrote:
> Thanks Tim,
> I was just wondering if my mistake was raising the functional-level. This confirms it.
> This apparently also broke backup.
> I cannot create the container, because the current schema (2003) doesn't support msDS-PasswordSettingsContainer. 
> It seems impossible (and dangerous) to update the schema.  
> I was given a reference to a thread about updating the schema but
> - the thread didn't contain the actual ldf files
> - the thread seemed to be an upgrade from 2003 R2 and I just have 2003.
> Is it possible to lower the level again?
> I can revert to the state that existed before demoting Julius. I'm thinking that this is the best course if I can't undo raising the level.
> Cheers
> Russell
> -----Original Message-----
> From: Tim Beale [mailto:timbeale at catalyst.net.nz]
> Sent: Tuesday, 25 June, 2019 9:13 a.m.
> To: Andrew Bartlett; Thamm, Russell; sambalist
> Subject: Re: [Samba] Error determinigng PSOs in system [SEC=UNOFFICIAL]
> On 24/06/19 9:00 PM, Andrew Bartlett wrote:
>> On Mon, 2019-06-24 at 07:12 +0000, Thamm, Russell via samba wrote:
>>> The domain seems stable until I tried LDAP authentication which 
>>> fails.
>>> The samba log says:
>>> Error 32 determining PSOs in system.
>>> I can't seem to find anything on this error.
>>> Any idea how I fix this?
>> sorry about that.  The issue is that Samba expects a container for 
>> PSOs, but that is a newer AD feature and your 2003 server never 
>> created it.
>> the container is:
>> CN=Password Settings Container,CN=System,$DOMAIN_DN
>> The code should cope with 32 (no such object) as very good proof there 
>> are no PSOs.
>> This isn't an issue upgrading pure Samba domains (everything since 
>> before 4.0.0 has this) but windows of course is older.
>> Options include fixing the code (please file a bug and hopefully Tim 
>> can look at it) and creating the missing container.  The template 
>> Samba uses is pretty simple:
>> +dn: CN=Password Settings Container,CN=System,${DOMAINDN}
>> +objectClass: top
>> +objectClass: msDS-PasswordSettingsContainer
>> +systemFlags: -1946157056
>> +
>> The final option is to use a Samba version from before PSOs were 
>> implemented, which would be 4.8 I think, but that isn't a long-term 
>> option.
> I've raised a bug for this:
> https://bugzilla.samba.org/show_bug.cgi?id=14008 and I'm just working on a fix.
> Creating the Password Settings Container manually is probably the simplest workaround in the meantime.
> Just a note to others: I think this problem only occurs if the domain DB was created based on a pre-2008 schema, and then you later manually raise the functional-level to 2008 or greater.

More information about the samba mailing list