[Samba] Error in 'samba-tool domain level show'

Rowland Penny rpenny at samba.org
Mon Jun 23 09:06:18 UTC 2025 

In level.py, there is code that obtains the functional level for the Forest and domain:

            res_forest = samdb.search("CN=Partitions,%s" % samdb.get_config_basedn(),
                                      scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"])

            res_domain = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
                                      attrs=["msDS-Behavior-Version", "nTMixedDomain"])

            if "msDS-Behavior-Version" in res_forest[0]:
                level_forest = int(res_forest[0]["msDS-Behavior-Version"][0])
            if "msDS-Behavior-Version" in res_domain[0]:
                level_domain = int(res_domain[0]["msDS-Behavior-Version"][0])

If you convert the searchs to ldbsearch, you get these:

sudo ldbsearch -H /var/lib/samba/private/sam.ldb -P -b 'CN=Partitions,CN=configuration,DC=samdom,DC=example,DC=com' -s base '(msDS-Behavior-Version=*)' msDS-Behavior-Version
# record 1
dn: CN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=com
msDS-Behavior-Version: 7

# returned 1 records
# 1 entries
# 0 referrals

sudo ldbsearch -H /var/lib/samba/private/sam.ldb -P -b 'DC=samdom,DC=example,DC=com' -s base '(msDS-Behavior-Version=*)' msDS-Behavior-Version nTMixedDomain
# record 1
dn: DC=samdom,DC=example,DC=com
nTMixedDomain: 0
msDS-Behavior-Version: 7

# returned 1 records
# 1 entries
# 0 referrals

Which clearly shows that the contents of both 'msDS-Behavior-Version' attributes is '7' (which is Windows Server 2016 and up).

So why do I get this, when I run 'sudo samba-tool domain level show':
ERROR: Domain function level is higher than the lowest function level of a DC. Correct this or reprovision!

The code that prints that message is this:

            if level_forest > level_domain:
                raise CommandError("Forest function level is higher than the domain level(s). Correct this or reprovision!")

Which to me, says, 'if 7 is greater than 7' raise an error, 7 can never be greater than 7.

Can someone who is running 4.22.2 on a DC and has raised their functional levels to 2016, please try running 'sudo samba-tool domain level show', just in case it is just me.

Rowland

More information about the samba mailing list