[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

Virgo Pärna virgo.parna at mail.ee
Wed Jan 29 10:27:31 UTC 2025


On 25.01.2025 20:44, Virgo Pärna via samba wrote:
> 
> Exception: (21, "objectclass_attrs: attribute 'systemFlags' on entry 
> 'CN=Privileged Access Management Feature,CN=Optional 
> Features,CN=Directory Service,CN=Windows 
> NT,CN=Services,CN=Configuration,DC=*****' contains at least one invalid 
> value!")
> Error encountered, aborting schema upgrade
> ERROR: Failed to upgrade schema
> 

	It is really strange... Looking Sch78 from Schema-Updates.md it matches 
one in MicrosoftDocs github.

Sch78 seems to rename "Expiring Group Membership Feature" to "Privileged 
Access Management Feature". If I understand it correctly...

first, old value is made renamable, it  has:
# FLAG_ALLOW_RENAME 0x400000
systemFlags: 1073741824

Although 1073741824 is 0x4000 0000, not 0x40 0000
Then rename is done and then systemFlags is set again to 2348810240 and 
that fails with "Invalid attribute syntax".


Strangely in debug log ldb:acl_rename line does not have following DSDB 
Change line.



-- 
Virgo Pärna
virgo.parna at mail.ee



More information about the samba mailing list