[Samba] SAMBA 4.20 - function level upgrade

Wed Apr 10 10:04:32 UTC 2024

Hello
I will try give you best answer what I can.

- alma linux 9, fresh installation, for testing only in virtualbox
- packages from Sernet, installad via YUM from oficial repo
- installed version 4.18 (same on original linux)
- moved backup from original server, /var/lib/samba + /etc/krb, 
/etc/default/samba, /etc/samba
- original domain created if I remember on 4.15 or 4.16, then schema 
upgrade to 2012, on 4.18
- upgraded to version 4.20

thank you
THAV

------ Původní zpráva ------
Od "Andrew Bartlett via samba" <samba at lists.samba.org>
Komu "Tomáš Havlín" <thavlin at spel.cz>; "Tomáš Havlín via samba" 
<samba at lists.samba.org>
Datum 10.04.2024 10:54:55
Předmět Re: [Samba] SAMBA 4.20 - function level upgrade

>Thanks for the extra details.  I do intend to dig into this for you, it
>is very strange, but to do that I need some more details:
>Can I get (again, if I've missed it) a history of this domain (what
>version did you start with, what schema upgrades have happened in the
>past) so I can try and reproduce?
>Also, can you confirm where you got your Samba package, if there are
>any other bits of any Samba version on your system, and the details for
>the sources of that package.
>The reason I ask is that things in the logs just don't line up with
>what I see in the git tag.
>For example, not only do the resolve_oids.c references look odd, I just
>can't see how Samba 4.20.0 can print this line:
>dsdb_schema_set_el_from_ldb_msg_dups() WERR_INVALID_PARAMETER
>Thanks,
>Andrew Bartlett
>On Tue, 2024-04-09 at 08:05 +0000, Tomáš Havlín wrote:
>>  Hello,
>>  samba-tool domain level showForest function level: (Windows) 2012 R2
>>  Domain function level: (Windows) 2012 R2
>>  Lowest function level of a DC: (Windows) 2016
>>
>>  samba 4.20.0-2
>>  smb.confad dc functional level = 2016
>>https://wiki.samba.org/index.php/Samba_Features_added/changed#NEW_FEATURES/CHANGESsection AD DC support for Authentication Silos and Authentication
>>  Policies
>>  direcly copied from console[root at vorvan ~]# samba-tool domain
>>  schemaupgrade --schema=2019
>>  Temporarily overriding 'dsdb:schema update allowed' setting
>>  Applying Sch70.ldf updates...
>>  Unable to find attribute msDS-DeviceMDMStatus in the schema
>>  5 changes applied
>>  Applying Sch71.ldf updates...
>>  7 changes applied
>>  Applying Sch72.ldf updates...
>>  5 changes applied
>>  Applying Sch73.ldf updates...
>>  5 changes applied
>>  Applying Sch74.ldf updates...
>>  ../../source4/dsdb/schema/schema_init.c:816: name == NULL in CN=ms-
>>  DS-Key-Credential,CN=Schema,CN=Configuration,DC=raisa,DC=intra
>>  dsdb_schema_set_el_from_ldb_msg_dups() WERR_INVALID_PARAMETER
>>  Exception: (1, 'operations error at
>>  ../../source4/dsdb/samdb/ldb_modules/resolve_oids.c:674')
>>  Encountered while trying to apply the following LDIF
>>  ----------------------------------------------------
>>  dn: CN=ms-DS-Key-
>>  Credential,CN=Schema,CN=Configuration,DC=raisa,DC=intra
>>  changetype: add
>>  objectClass: classSchema
>>  ldapDisplayName: msDS-KeyCredential
>>  adminDisplayName: msDS-KeyCredential
>>  adminDescription: An instance of this class contains key material.
>>  governsId: 1.2.840.113556.1.5.297
>>  objectClassCategory: 1
>>  rdnAttId: cn
>>  schemaIdGuid:: Q1Uf7i58akeLP+EfSvbEmA==
>>  defaultSecurityDescriptor:
>>  D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOWDSDD
>>  TSW;;;SY)
>>  defaultHidingValue: FALSE
>>  showInAdvancedViewOnly: TRUE
>>  systemOnly: FALSE
>>  systemFlags: 16
>>  instanceType: 4
>>  subClassOf: top
>>  systemPossSuperiors: container
>>  systemMustContain: 1.2.840.113556.1.4.2315
>>  systemMayContain: msDS-KeyMaterial
>>  systemMayContain: msDS-KeyUsage
>>  systemMayContain: msDS-KeyPrincipal
>>  systemMayContain: msDS-DeviceDN
>>  systemMayContain: msDS-ComputerSID
>>  systemMayContain: msDS-CustomKeyInformation
>>  systemMayContain: msDS-KeyApproximateLastLogonTimeStamp
>>
>>  Exception: (1, 'operations error at
>>  ../../source4/dsdb/samdb/ldb_modules/resolve_oids.c:674')
>>  Error encountered, aborting schema upgrade
>>  ERROR: Failed to upgrade schema
>>
>>  thank youTHAV
>>
>>
>>
>>
>>
>>  ------ Původní zpráva ------
>>
>>  Od "Andrew Bartlett" <abartlet at samba.org>
>>
>>  Komu "Tomáš Havlín" <thavlin at spel.cz>; "Tomáš Havlín via samba" <
>>samba at lists.samba.org>
>>
>>  Datum 09.04.2024 9:45:00
>>
>>  Předmět Re: Re[2]: [Samba] SAMBA 4.20 - function level upgrade
>>
>>  > On Mon, 2024-04-08 at 08:03 +0000, Tomáš Havlín wrote:
>>  > > Hello,
>>  > > I am sorry for my answer. I have already upgraded level domain
>>  > > and
>>  > > forest level 2012_R2 and function level to 2016 via ad dc
>>  > > functional
>>  > > level = 2016. Then I tried to follow instructions from wiki to
>>  > > upgrade
>>  > > to version of funtion level to 2016, but schema upgrade ends with
>>  > > error
>>  > >
>>  > >
>>  > > Exception: (1, 'operations error at
>>  > > ../../source4/dsdb/samba/ldb_modules/resolve_oids.c:674')
>>  > > Error encountered, aborting schema upgrade
>>  > > ERROR: Failed to upgrade schema
>>  >
>>  > Was this text copied directly from your failing host?  I ask
>>  > cecause someone has 'spell corrected' samdb -> samba in that path,
>>  > and line 674 is empty in the Samba 4.20.0 released sources.
>>  >
>>  > Can you please confirm the exact command given and the version of
>>  > Samba you are running where you see this failure?
>>  >
>>  > Thanks,
>>  >
>>  > Andrew Bartlett
>>  >
>>  > --
>>  > Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba
>>  > Team Member (since 2001) https://samba.orgSamba Team
>>  > Lead
>>  > https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
>>  > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
>>  > company
>>  > Samba Development and Support:
>>  > https://catalyst.net.nz/services/samba
>>  > Catalyst IT - Expert Open Source Solutions
>--
>Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead                https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
>Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
>company
>Samba Development and Support: https://catalyst.net.nz/services/samba
>Catalyst IT - Expert Open Source Solutions
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba