s4:provision - Bump down the domain and forest level to Windows 2000
Andrew Kroeger
andrew at id10ts.net
Mon Sep 21 13:34:35 MDT 2009
Andrew Bartlett wrote:
> On Mon, 2009-09-21 at 11:43 -0500, Andrew Kroeger wrote:
>> Andrew Bartlett wrote:
>>> Matthias,
>>>
>>> I'm puzzled as to why we needed to change the default functional level
>>> here. Perhaps I'm missing something, but what was wrong with the old
>>> default?
>>>
>>> I'm quite happy to have options in our provision to set the domain
>>> functional level (certainly between Windows 2003 and Windows 2008
>>> level), and have scripts to change it, but the default should not be
>>> changed without discussion on the list.
>>>
>>> Similarly, we should not advertise a higher server functional level
>>> without carefully considering and discussing the consequences.
>>>
>>> I'm sorry to have to be so picky about this, but we need to work a bit
>>> closer to review your changes for their broader impact. We have a big
>>> week of testing coming up at Microsoft, and changes like this mid-week
>>> could really throw a spanner in the works.
>>>
>>> Andrew Bartlett
>> Andrew:
>>
>> I think it's time to have that discussion on the list :)
>>
>> After your commit 23ffccd5d7c9a88d479f82043ff1b6efe938cc6a, which
>> changed forest, domain and domain controller functionality levels to
>> 2008, I cannot join a W2K8 server to an S4 domain. After reverting that
>> commit, I am again able to join a W2K8 server to an S4 domain.
>>
>> I am attaching the relevant section of my samba.log containing details
>> from when the domain join fails.
>
> It looks like 'salting' to me. Ensure you have a fresh provision (we
> changed the salting algorithm). Perhaps there is an upgrade bug on
> secrets.ldb.
>
> Andrew Bartlett
Andrew:
I just confirmed that commit 23ffccd5d7c9a88d479f82043ff1b6efe938cc6a is
in fact causing my issue. I did a fresh pull from master (through
commit e440a2e11e78a562f97971c0dfe0cf3f694996ff) on a clean branch (no
local modifications). I performed a clean build, fresh install and
fresh provision, and I could not join a W2K8 server to the S4 domain
again. I reverted commit 23ffccd5d7c9a88d479f82043ff1b6efe938cc6a, did
another clean build, fresh install and fresh provision, and then I could
successfully join the W2K8 server to the S4 domain.
I'm currently running W2K8 SP2 with all updates applied, but I also saw
the error with a base W2K8 install (no SP or updates installed).
I'm willing to run additional tests to help track this down if you are
having problems reproducing the issue.
Sincerely,
Andrew Kroeger
More information about the samba-technical
mailing list