samba - Apr 2013 - New Windows 8 RSAT and "OU=Domain Controllers" support?

Hello,

We have two DCs. One runs Windows 2003 R2, and the other Samba 4.0.5.
Forest functional level is Windows 2000 native.

I recently demoted (worked flawlessy now, which was a great relief),
rebuilt and re-promoted my Samba 4 DC, as my problems that I posted to
this list about two monts were still unresolved (see
https://lists.samba.org/archive/samba/2013-February/171898.html), and I
thoght that I might as well give it a shot.

And yes, it all seems to work now. (I even got the rfc2307 uid/gid
support working, finally! Doesn't matter a lot on a DC-only box, but still.)

Everything, this far, except one thing: if
1. RSAT, specifically one shipped with Windows Vista or newer (older
tools do not seem to be affected) is used to manage the domain,
2. Samba 4 DC is the domain controller that RSAT's AD User and Computers
console connects to, and
3. one clicks the "Domain Controllers" OU in the tree

then the following error message will result:

"Data from Domain Controllers is not available from Domain Controller
SAMBA4DC.mydomain.site because: An operations error occurred. Try again
later, or choose another DC by selecting Connect to Domain Controller on
the Domain context menu."

At the same time the following is written to log.samba:

"[2013/04/17 18:03:24,  0] ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug)
  ldb: acl_read: CN=W2K3R2DC,OU=Domain Controllers,DC=mydomain,DC=site
cannot find attr[msDS-isRODC] in of schema

If the RSAT's AD Users & Computers console is deliberately changed to
use our Windows DC, the problem disappears. The console reports DC
version for the domain controllers as W2K3 for the Windows DC and as W2K
for the Samba DC.

Is this error expected? I find the error message in log.samba a bit
peculiar, because it talks about msDS-isRODC attribute. But the way I
see it there shouldn't even be anything RODC-related in the schema, as a
prerequisite for any RODCs is Windows 2003 forest functional level, and
even then the schema should be extended first (see
http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx
for Microsoft's documentation).

Because Samba doesn't really seem to support Windows 2000 functional
level properly anymore (samba-tool domain level just showed the
following error: "ERROR: Could not retrieve the actual domain, forest
level and/or lowest DC function level!"), and we no longer had real
reasons to stick to that, I tried to promote the forest.

Now that failed too, and I had to demote Samba (so that Windows doesn't
think it is just a W2k box), raise forest level on Windows, and then
purge Samba's config and re-join it. (Simply running "samba-tool domain
dcpromo" doesn't work either--it just gives an error "Account
SAMBA4DC$
appears to be an active DC, use 'samba-tool domain join' if you must
re-create this account".)

But: now the forest functional level *is* Windows 2003, RSAT AD User &
Computers reports the Samba DC as W2k8 R2, and all this still didn't
affect the actual RSAT / ldb: acl_read error at all. The issue is still
reproducible!

I don't know if running the MS adprep tool on the Windows DC would help
(see the Technet article linked above), but that tool is anyway only
shipped with Windows 2008, and I don't have that.

Should I file a bug? Or is this error expected? Any experiences by
people who regularly run newer RSATs? What about those that also have
Windows DCs, like me?

Thanks,

Pekka L.J. Jalkanen


PS. The Win 8 RSAT that I've been trying to use is actually hugely
problematic, because there is no way to install the Server for NIS tools
that are required for RFC2307 management, even though MS does claim
(http://support.microsoft.com/kb/2693643) that those tools are still
supported. I can't recommend it to anyone.

That attribute is a 2008+ schema attribute, as far as I was aware when you
provision with Samba your DC functionality is at 2008 R2 but forest/domain
is at 2003 and can be raised to 2008 R2 try samba-tool domain level raise
--domain 2008_R2 --forest 2008_R2 maybe that will add the attribute to the
schema.


On Tue, Apr 23, 2013 at 4:43 AM, Pekka L.J. Jalkanen <
pekka.jalkanen at vihreat.fi> wrote:
> Hello,
>
> We have two DCs. One runs Windows 2003 R2, and the other Samba 4.0.5.
> Forest functional level is Windows 2000 native.
>
> I recently demoted (worked flawlessy now, which was a great relief),
> rebuilt and re-promoted my Samba 4 DC, as my problems that I posted to
> this list about two monts were still unresolved (see
> https://lists.samba.org/archive/samba/2013-February/171898.html), and I
> thoght that I might as well give it a shot.
>
> And yes, it all seems to work now. (I even got the rfc2307 uid/gid
> support working, finally! Doesn't matter a lot on a DC-only box, but
> still.)
>
> Everything, this far, except one thing: if
> 1. RSAT, specifically one shipped with Windows Vista or newer (older
> tools do not seem to be affected) is used to manage the domain,
> 2. Samba 4 DC is the domain controller that RSAT's AD User and
Computers
> console connects to, and
> 3. one clicks the "Domain Controllers" OU in the tree
>
> then the following error message will result:
>
> "Data from Domain Controllers is not available from Domain Controller
> SAMBA4DC.mydomain.site because: An operations error occurred. Try again
> later, or choose another DC by selecting Connect to Domain Controller on
> the Domain context menu."
>
> At the same time the following is written to log.samba:
>
> "[2013/04/17 18:03:24,  0]
../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug)
>   ldb: acl_read: CN=W2K3R2DC,OU=Domain Controllers,DC=mydomain,DC=site
> cannot find attr[msDS-isRODC] in of schema
>
> If the RSAT's AD Users & Computers console is deliberately changed
to
> use our Windows DC, the problem disappears. The console reports DC
> version for the domain controllers as W2K3 for the Windows DC and as W2K
> for the Samba DC.
>
> Is this error expected? I find the error message in log.samba a bit
> peculiar, because it talks about msDS-isRODC attribute. But the way I
> see it there shouldn't even be anything RODC-related in the schema, as
a
> prerequisite for any RODCs is Windows 2003 forest functional level, and
> even then the schema should be extended first (see
> http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx
> for Microsoft's documentation).
>
> Because Samba doesn't really seem to support Windows 2000 functional
> level properly anymore (samba-tool domain level just showed the
> following error: "ERROR: Could not retrieve the actual domain, forest
> level and/or lowest DC function level!"), and we no longer had real
> reasons to stick to that, I tried to promote the forest.
>
> Now that failed too, and I had to demote Samba (so that Windows doesn't
> think it is just a W2k box), raise forest level on Windows, and then
> purge Samba's config and re-join it. (Simply running "samba-tool
domain
> dcpromo" doesn't work either--it just gives an error "Account
SAMBA4DC$
> appears to be an active DC, use 'samba-tool domain join' if you
must
> re-create this account".)
>
> But: now the forest functional level *is* Windows 2003, RSAT AD User &
> Computers reports the Samba DC as W2k8 R2, and all this still didn't
> affect the actual RSAT / ldb: acl_read error at all. The issue is still
> reproducible!
>
> I don't know if running the MS adprep tool on the Windows DC would help
> (see the Technet article linked above), but that tool is anyway only
> shipped with Windows 2008, and I don't have that.
>
> Should I file a bug? Or is this error expected? Any experiences by
> people who regularly run newer RSATs? What about those that also have
> Windows DCs, like me?
>
> Thanks,
>
> Pekka L.J. Jalkanen
>
>
> PS. The Win 8 RSAT that I've been trying to use is actually hugely
> problematic, because there is no way to install the Server for NIS tools
> that are required for RFC2307 management, even though MS does claim
> (http://support.microsoft.com/kb/2693643) that those tools are still
> supported. I can't recommend it to anyone.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>