[Samba] Error determinigng PSOs in system [SEC=UNOFFICIAL]

Thamm, Russell Russell.Thamm at dst.defence.gov.au
Wed Jun 26 07:37:17 UTC 2019


Hi Rowland,

How can I get these ldf files?

I have now setup a lab-domain so I can try this out without fear of stuffing anything up.

I believe that I now have finally completed upgrading from 2003 server to Samba 4 (fingers crossed).

Thanks so much to everyone for your help and patience.


-----Original Message-----
From: Rowland penny [mailto:rpenny at samba.org]
Sent: Wednesday, 26 June, 2019 4:26 p.m.
To: Tim Beale; Thamm, Russell
Cc: sambalist; Andrew Bartlett
Subject: Re: [Samba] Error determinigng PSOs in system [SEC=UNOFFICIAL]

On 26/06/2019 02:42, Tim Beale via samba wrote:
> Hi Russell,
> Ah, right, of course you can't create the 
> msDS-PasswordSettingsContainer object on a 2003 schema.
> The code doesn't actually care what type of object the Password 
> Settings Container is as long as it exists. So the simplest short-term 
> kludge to get back to a working AD would be to create the PSO 
> container as an object that does exist in your schema, e.g.
> ldbadd -H /usr/local/samba/private/sam.ldb
> dn: CN=Password Settings
> Container,CN=System,DC=addom,DC=samba,DC=example,DC=com
> objectClass: container
> This is a major kludge to the DB and so please delete this object as 
> soon as you can, otherwise it will cause major support problems going 
> forward.
> The better short/medium-term solution would be to roll your functional 
> level back. Unfortunately the 'samba-tool domain level' command 
> doesn't support going backwards. However, the functional-level is just 
> an integer in the database (msDS-Behavior-Version) that you can 
> modify. The functional-level value for 2003 is '2' - you can see the 
> possible values
> here:
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/d
> 7422d35-448a-451a-8846-6a7def0044df
> There are several objects that have this attribute. E.g.
> ldbsearch -H st/ad_dc/private/sam.ldb  '(msDS-Behavior-Version=*)'
> msDS-Behavior-Version --cross-ncs
> # record 1
> dn:
> CN=ADDOMAIN,CN=Partitions,CN=Configuration,DC=addom,DC=samba,DC=exampl
> e,DC=com
> msDS-Behavior-Version: 3
> # record 2
> dn: CN=NTDS
> Settings,CN=ADDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con
> figuration,DC=addom,DC=samba,DC=example,DC=com
> msDS-Behavior-Version: 4
> # record 3
> dn: CN=Partitions,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
> msDS-Behavior-Version: 3
> # record 4
> dn: DC=addom,DC=samba,DC=example,DC=com
> msDS-Behavior-Version: 3
> The PSO code is checking the base-domain object (i.e. record 4). The 
> 'samba-tool domain level raise --domain-level' command also updates 
> the domain crossRef object (record 1). --forest-level updates the 
> CN=Partitions object (record3). To edit these objects manually, you 
> could use something like the following (and just don't alter the 
> objects you don't want to modify).
> ldbedit -H /usr/local/samba/private/sam.ldb  '(msDS-Behavior-Version=*)'
> msDS-Behavior-Version --cross-ncs
> Note that after changing the functional-level, you'll need to restart 
> samba for this to take effect on things like LDAP authentication.
> Finally, longer-term you'd need to find a way to upgrade your schema 
> from 2003 to 2008R2. I don't think there's any support for this in 
> Samba currently. I'm not sure if anyone else on the list has had 
> experience doing this.
> Cheers,
> Tim
> On 25/06/19 7:22 PM, Thamm, Russell wrote:
>> Thanks Tim,
>> I was just wondering if my mistake was raising the functional-level. This confirms it.
>> This apparently also broke backup.
>> I cannot create the container, because the current schema (2003) doesn't support msDS-PasswordSettingsContainer.
>> It seems impossible (and dangerous) to update the schema.
>> I was given a reference to a thread about updating the schema but
>> - the thread didn't contain the actual ldf files
>> - the thread seemed to be an upgrade from 2003 R2 and I just have 2003.
>> Is it possible to lower the level again?
>> I can revert to the state that existed before demoting Julius. I'm thinking that this is the best course if I can't undo raising the level.
>> Cheers
>> Russell
>> -----Original Message-----
>> From: Tim Beale [mailto:timbeale at catalyst.net.nz]
>> Sent: Tuesday, 25 June, 2019 9:13 a.m.
>> To: Andrew Bartlett; Thamm, Russell; sambalist
>> Subject: Re: [Samba] Error determinigng PSOs in system 
>> On 24/06/19 9:00 PM, Andrew Bartlett wrote:
>>> On Mon, 2019-06-24 at 07:12 +0000, Thamm, Russell via samba wrote:
>>>> The domain seems stable until I tried LDAP authentication which 
>>>> fails.
>>>> The samba log says:
>>>> Error 32 determining PSOs in system.
>>>> I can't seem to find anything on this error.
>>>> Any idea how I fix this?
>>> sorry about that.  The issue is that Samba expects a container for 
>>> PSOs, but that is a newer AD feature and your 2003 server never 
>>> created it.
>>> the container is:
>>> CN=Password Settings Container,CN=System,$DOMAIN_DN
>>> The code should cope with 32 (no such object) as very good proof 
>>> there are no PSOs.
>>> This isn't an issue upgrading pure Samba domains (everything since 
>>> before 4.0.0 has this) but windows of course is older.
>>> Options include fixing the code (please file a bug and hopefully Tim 
>>> can look at it) and creating the missing container.  The template 
>>> Samba uses is pretty simple:
>>> +dn: CN=Password Settings Container,CN=System,${DOMAINDN}
>>> +objectClass: top
>>> +objectClass: msDS-PasswordSettingsContainer
>>> +systemFlags: -1946157056
>>> +
>>> The final option is to use a Samba version from before PSOs were 
>>> implemented, which would be 4.8 I think, but that isn't a long-term 
>>> option.
>> I've raised a bug for this:
>> https://bugzilla.samba.org/show_bug.cgi?id=14008 and I'm just working on a fix.
>> Creating the Password Settings Container manually is probably the simplest workaround in the meantime.
>> Just a note to others: I think this problem only occurs if the domain DB was created based on a pre-2008 schema, and then you later manually raise the functional-level to 2008 or greater.
This has been done before: 

You will need the ldf files (which I have)


More information about the samba mailing list