[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
Rowland Penny
rpenny at samba.org
Wed Jan 29 15:07:30 UTC 2025
On Wed, 29 Jan 2025 12:27:31 +0200
Virgo Pärna via samba <samba at lists.samba.org> wrote:
> On 25.01.2025 20:44, Virgo Pärna via samba wrote:
> >
> > Exception: (21, "objectclass_attrs: attribute 'systemFlags' on
> > entry 'CN=Privileged Access Management Feature,CN=Optional
> > Features,CN=Directory Service,CN=Windows
> > NT,CN=Services,CN=Configuration,DC=*****' contains at least one
> > invalid value!")
> > Error encountered, aborting schema upgrade
> > ERROR: Failed to upgrade schema
> >
>
> It is really strange... Looking Sch78 from Schema-Updates.md
> it matches one in MicrosoftDocs github.
>
> Sch78 seems to rename "Expiring Group Membership Feature" to
> "Privileged Access Management Feature". If I understand it
> correctly...
>
> first, old value is made renamable, it has:
> # FLAG_ALLOW_RENAME 0x400000
> systemFlags: 1073741824
>
> Although 1073741824 is 0x4000 0000, not 0x40 0000
Setting systemFlags to 1073741824 does allow the object to be renamed,
so that is correct.
> Then rename is done and then systemFlags is set again to 2348810240
> and that fails with "Invalid attribute syntax".
That is where it appears to go wrong, but 2348810240 is computed from:
FLAG_DISALLOW_DELETE 2147483648
FLAG_DOMAIN_DISALLOW_RENAME 134217728
FLAG_DOMAIN_DISALLOW_MOVE 67108864
and if you add up all the numbers, you get 2348810240, so that should
be correct. Have you checked the ldif for abnormalities ? Spaces etc.
My domain is running at functional level 2016, upgraded from 2008R2
when I upgraded to 4.21.0, when I checked my 'CN=Privileged Access
Management Feature,CN=Optional .......' DN, I found that the
systemFlags attribute is set to '-1946157056', which, as far as I can
see, is 'no changes allowed', I have no idea how it was set to that.
Have you tried adding '-d10' to the 'samba-tool domain join' command to
see if any further error messages are printed ?
Rowland
More information about the samba
mailing list