[Samba] Crash on "samba-tool domain level raise --domain-level=2016 --forest-level=2016"

Andrew Bartlett abartlet at samba.org
Mon Aug 28 19:33:54 UTC 2023 

On Mon, 2023-08-28 at 12:43 +0200, Fabio Fantoni via samba wrote:
> Il 25/08/2023 14:26, Rowland Penny via samba ha scritto:
> > On Fri, 25 Aug 2023 14:10:13 +0200
> > Sebastian Neustein via samba <
> > samba at lists.samba.org
> > > wrote:
> > 
> > > Have you tried doing it step by step: first raise domain level
> > > and
> > > after that raising the forest level?
> > > 
> > 
> > An MR as been opened about this:
> > 
> > https://gitlab.com/samba-team/samba/-/merge_requests/3237
> > 
> > 
> > Seems someone is reading the list.
> > 
> > Rowland
> > 
> > 
> 
> Thanks to Joseph Sutton for the fix, applied manually and tested,
> this 
> issue is solved but now gave another error.
> 
> This time I tried to raise to level 2012_R2 instead (for try to add
> of 
> windows 2012R2 before):
> 
> > samba-tool domain schemaupgrade --schema=2019
> > samba-tool domain functionalprep --function-level=2012_R2
> 
> these was without errors but the level raise still failed with
> another 
> error:
> 
> > samba-tool domain level raise --domain-level=2012_R2 
> > --forest-level=2012_R2
> > ERROR: Domain function level can't be higher than the lowest
> > function 
> > level of a DC!
> 
> also tried with only domain and only forest:
> 
> > samba-tool domain level raise --domain-level=2012_R2
> > ERROR: Domain function level can't be higher than the lowest
> > function 
> > level of a DC!
> > samba-tool domain level raise --forest-level=2012_R2
> > ERROR: Forest function level can't be higher than the domain
> > function 
> > level(s). Please raise it/them first!
> 
> the latest is normal the error FWIK but the first and second I don't 
> understand the cause, is only one samba DC (this is where I'm
> running 
> operations from)

Samba doesn’t "support" a FL higher than 2008R2, even in Samba 4.19,
but there is a preview of Windows 2012, 2012R2 and 2016 support in this
release.

As per the WHATSNEW, you need to set "ad dc functional level = 2012_R2"
in the smb.conf of each DC, and on the next startup (or running this
command) it will update the record of the DC's own functional level in
the database, and allow this to proceed.

> no error on db (I executed also before the raise test)
> 
> > samba-tool dbcheck --cross-ncs
> > Checking 3993 objects
> > Checked 3993 objects (0 errors)
> 
> here some conf files if needed:

Thanks.  This shows the parameter isn't set.

> > less /etc/samba/smb.conf
> > # Global parameters
> > [global]
> >         netbios name = D12DC
> >         realm = M2R.LOCAL
> >         server role = active directory domain controller
> >         workgroup = M2R
> >         dns forwarder = 8.8.8.8
> >         # for nextcloud
> >         ldap server require strong auth = no
> > 
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> > 
> > [netlogon]
> >         path = /var/lib/samba/sysvol/m2r.local/scripts
> >         read only = No

Thanks so much for giving Samba pre-releases a good test. 

It is clear our tools could better report their errors and guide users
on how to resolve the issues. 

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list