samba - Jan 2025 - Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in

On Wed, 29 Jan 2025 12:27:31 +0200
Virgo P?rna via samba <samba at lists.samba.org> wrote:
> On 25.01.2025 20:44, Virgo P?rna via samba wrote:
> > 
> > Exception: (21, "objectclass_attrs: attribute
'systemFlags' on
> > entry 'CN=Privileged Access Management Feature,CN=Optional 
> > Features,CN=Directory Service,CN=Windows 
> > NT,CN=Services,CN=Configuration,DC=*****' contains at least one
> > invalid value!")
> > Error encountered, aborting schema upgrade
> > ERROR: Failed to upgrade schema
> > 
> 
> 	It is really strange... Looking Sch78 from Schema-Updates.md
> it matches one in MicrosoftDocs github.
> 
> Sch78 seems to rename "Expiring Group Membership Feature" to
> "Privileged Access Management Feature". If I understand it
> correctly...
> 
> first, old value is made renamable, it  has:
> # FLAG_ALLOW_RENAME 0x400000
> systemFlags: 1073741824
> 
> Although 1073741824 is 0x4000 0000, not 0x40 0000
Setting systemFlags to 1073741824 does allow the object to be renamed,
so that is correct.
> Then rename is done and then systemFlags is set again to 2348810240
> and that fails with "Invalid attribute syntax".
That is where it appears to go wrong, but 2348810240 is computed from:

FLAG_DISALLOW_DELETE 2147483648
FLAG_DOMAIN_DISALLOW_RENAME 134217728
FLAG_DOMAIN_DISALLOW_MOVE 67108864

and if you add up all the numbers, you get 2348810240, so that should
be correct. Have you checked the ldif for abnormalities ? Spaces etc.

My domain is running at functional level 2016, upgraded from 2008R2
when I upgraded to 4.21.0, when I checked my 'CN=Privileged Access
Management Feature,CN=Optional .......' DN, I found that the
systemFlags attribute is set to '-1946157056', which, as far as I can
see, is 'no changes allowed', I have no idea how it was set to that.

Have you tried adding '-d10' to the 'samba-tool domain join'
command to
see if any further error messages are printed ?

Rowland

On 29.01.2025 17:07, Rowland Penny via samba wrote:
> On Wed, 29 Jan 2025 12:27:31 +0200
> Virgo P?rna via samba <samba at lists.samba.org> wrote:
> 
>> # FLAG_ALLOW_RENAME 0x400000
>> systemFlags: 1073741824
>>
>> Although 1073741824 is 0x4000 0000, not 0x40 0000
> 
> Setting systemFlags to 1073741824 does allow the object to be renamed,
> so that is correct.
> 
	Yeah, seems to be an error in Microsoft Schema-Updates.md 
documentation. In which Samba Schema-Updates.md is based. 
FLAG_CONFIG_ALLOW_RENAME is actually 0x4000 0000.
> That is where it appears to go wrong, but 2348810240 is computed from:
> 
> FLAG_DISALLOW_DELETE 2147483648
> FLAG_DOMAIN_DISALLOW_RENAME 134217728
> FLAG_DOMAIN_DISALLOW_MOVE 67108864
> 
> and if you add up all the numbers, you get 2348810240, so that should
> be correct. Have you checked the ldif for abnormalities ? Spaces etc.
> 
	And "Expiring Group Membership Feature" originally had same 
systemFlags. It is actually added in same transaction (when upgrading 
schema from 2012 to 2016).
	I have not changed that Schema-Updates.md by myself (it was part of 
samba package). And I cannot see any differences.
> Management Feature,CN=Optional .......' DN, I found that the
> systemFlags attribute is set to '-1946157056', which, as far as I
can
> see, is 'no changes allowed', I have no idea how it was set to
that.
> 
	Strange. There do not seem to be any additional patches by Samba to it 
either.
> Have you tried adding '-d10' to the 'samba-tool domain
join' command to
> see if any further error messages are printed ?
> 
	Joining to domain is not and issue. At least I was able to join Windows 
11 24H2 test-vm and 22H2 test-vm to domain. But I cannot log in with 
domain account to either of those... So the actual problem is not tied 
to Windows 11 24H2. Something about my DC must be wrong.
	I did do one thing in wrong order. I used
samba-tool domain level
to raise domain level before schema upgrades. In original 4.17.12 to 
2008_R2 (that was before some time before the logging in issue 
appeared). And then all the way to 2016 after I already had login 
problem. I only now discovered that there are separate schema upgrades.

	Since the problem appears to be tied with specific domain, that 
discrepancy could be an issue, unfortunately I am unable to upgrade 
schema to same level.

	Otherwise Windows  test-computersecurechannel and " 
test-computersecurechannel -repair" both work.
	And "dcdiag /s:dc.domain" fails on some tests, but from google
results
they appear to be common failures for Samba DC.

* SysVolCheck - SysVol is not ready... But that mentions FRS which is 
sysvol replication, which Samba does not support. And googling about 
seemed to imply  taht it is expected
* ObjectsReplicated is passed, but complains that replication access was 
denied
* Replications is failed with same error.
* Services fails, because Samba does not have Windows services, that it 
expects. And samba NETLOGON is WIN32_OWN_PROCESS, not WIN32_SHARE_PROCESS
* VerifyReferences fails, because there are no sysvol replication 
attribute. That is expected.
* ForestDnsZones CheckSDRefDom test fails because of missing 
msDS-SD-Reference-Domain attribute. Same with DomainDnsZones 
CheckSDRefDom test.


-- 
Virgo P?rna
virgo.parna at mail.ee