[Samba] SaMBa functional level

Pisch Tamás pischta at gmail.com
Thu Apr 18 12:43:03 UTC 2024


Thanks for the info, Andrew.
I configured the Microsoft Entra Connect without raising the FL on SaMBa
DCs. The agents are running, The state of them is active, but my
configuration state is quarantined. The error message is the following:
HybridSynchronizationContainerStateEnumerationFailed
We were unable to process this request at this point. If this issue
persists, please contact support and provide the following job identifier:
AD2AADProvisioning.****. Additional details: Encountered an error while
enumerating container changes in the provisioning agent. Please make sure
you are running the latest version of the agent. Contact support if the
issue persists. Additional Error Details: UnwillingToPerform: The server
cannot handle directory requests.. ResultCode: UnwillingToPerform, HResult:
-2146233088, responseType:
System.DirectoryServices.Protocols.SearchResponse, serializedResponse:
{"MatchedDN":"","Controls":[],"ResultCode":53,"ErrorMessage":"error in
module dsdb_paged_results: Unwilling to perform during LDB_SEARCH
(53)","Referral":[],"References":[],"Entries":[],"RequestId":null}.
I configured the agents with an AD user who is in the Domain Admins group.

Andrew Bartlett <abartlet at samba.org> ezt írta (időpont: 2024. márc. 28.,
Cs, 2:45):

> On Wed, 2024-03-27 at 12:18 +0100, Pisch Tamás wrote:
> > > Others have integrated Azure AD with Samba without the FL increase,
> > > and
> > > the key step would be the adprep work,
> >
> > Then I will do it without increasing the FL. What do I have to do
> > with adprep?
>
> To (prepare to) raise the domain functional level of an existing
> domain, after
>
> updating the smb.conf and restarting Samba run
>
> samba-tool domain schemaupgrade --schema=2019
>
> samba-tool domain functionalprep --function-level=2016
>
>
> > > but regardless the main risk
> > > with using the FL 2012 or FL2016 'early' in Samba 4.19 or 4.20 is
> > > that
> > > we don't have any further protection against 'mixed domains' if you
> > > use
> > > the silos, claims or authentication policy features.  So if you
> > > have some DCs on 4.19 and some on a later version with the full
> > > support, eg 4.21 or partial support (4.20), then you will have
> > > inconsistent behaivour between your DCs.
>
> > I will use only 4.19 DCs.
>
> It is more a warning for the future, when you do upgrade, just to be
> aware that running different versions for a long time won't be a great
> idea.  Nothing catastrophic, but you won't be able to rely on the new
> security features until only new DCs are running.
>
> Andrew Bartlett,
>
> --
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead                https://catalyst.net.nz/services/samba
> Catalyst.Net <https://catalyst.net.nz/services/sambaCatalyst.Net> Ltd
>
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> company
>
> Samba Development and Support: https://catalyst.net.nz/services/samba
>
> Catalyst IT - Expert Open Source Solutions
>
>
>
>


More information about the samba mailing list