samba - Jul 2014 - Must Samba4 AD be provisionned with rfc2307 to use winbind ?

Oh I think I must of misread what you and steve where discussing.

What is confusing me is the output of samba-tool domain level show

Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2008 R2

I thought it might of been because rfc2307 schema included was of 2008r2 ilk.

Why does it always say the lowest function level is (Windows) 2008 R2

I just tried samba-tool domain provision --domain=SAMBA4  --adminpass=Mysamba4
--dns-backend=SAMBA_INTERNAL --server-role=dc --function-level=2003
--use-xattr=yes --realm=SAMBA4.LAN

The output is the same as above.

Always Lowest function level of a DC: (Windows) 2008 R2

Stuart

 
-----Original message-----
> From:Rowland Penny <rowlandpenny at googlemail.com>
> Sent: Thursday 17th July 2014 11:14
> To: samba at lists.samba.org
> Subject: Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use
winbind ?
> 
> On 17/07/14 00:26, Stuart Naylor wrote:
> > I have been reading through an old thread and to be honest
confused.com
> >
> >
> > root at zent1:~# samba-tool domain level show
> > params.c:pm_process() - Processing configuration file
"/etc/samba/shares.conf"
> > ldb_wrap open of secrets.ldb
> > Domain and forest function level for domain
'DC=office,DC=zentyal,DC=lan'
> >
> > Forest function level: (Windows) 2003
> > Domain function level: (Windows) 2003
> > Lowest function level of a DC: (Windows) 2008 R2
> >
> > That for a start has me totally stumped as where is the 2008 R2 coming
from?
> >
> > Does this mean that I can only use this DC with a minimum of 2008 R2
servers?
> >
> > If you include rfc2307 in Samba4 then the schema provided is from 2008
R2.
> >
> > That is definitely twisting my melon.
> >
> > Just to demonstrate my confusion
> >
> > root at zent1:~# samba-tool domain level raise --domain-level=2003_R2
> > Usage: samba-tool domain level (show|raise <options>) [options]
> >
> > samba-tool domain level: error: option --domain-level: invalid choice:
'2003_R2' (choose from '2003', '2008',
'2008_R2')
> >
> > Maybe I am being dumb:-
> >
> > A 2003 server is a 2003 server; rfc2307 is the schema in SFU (Services
for Linux) http://www.microsoft.com/en-gb/download/details.aspx?id=274
> > A 2003R2 server is not a 2003 server as it has a modified SFU already
installed.
> > Same goes for a 2008 and 2008R2.
> >
> > When you include the directive --use-rfc2307 on provision the schema
used should match the one of the lowest function level.
> > Just banging on the 2008R2 schema means that the documentation should
say if you want to use --use-rfc2307 then the server will be 2008R2.
> >
> > Also with the domain provision and domain level raise tools what does
2003 mean?
> > Is that 2003 or 2003R2 and why is one missing?
> >
> > Its probably me being cataclysmically dumb as it does happen often but
could someone explain this slowly to me?
> >
> > Please as I am struggling a bit to get my head round this as Samba4
might as well be 2008R2 only in the documentation?
> Hi, adding '--use-rfc2307' on provision does not alter the schema
used,
> what it does do, is add the ypServ30.ldif, you can actually add 
> uidNumber's, gidNumber's etc without provisioning with
'--use-rfc2307'.
> 
> If you raise the domain level on samba4 you alter the 
>
'msDS-Behavior-Version<http://msdn.microsoft.com/en-us/library/cc220262.aspx>'
> attribute, you do not alter the schema.
> 
> Rowland
> 
> 
>

On Fri, 2014-07-18 at 01:38 +0100, Stuart Naylor wrote:
> Oh I think I must of misread what you and steve where discussing.
> 
> What is confusing me is the output of samba-tool domain level show
> 
> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2008 R2
> 
> I thought it might of been because rfc2307 schema included was of 2008r2
ilk.
> 
> Why does it always say the lowest function level is (Windows) 2008 R2
> 
> I just tried samba-tool domain provision --domain=SAMBA4 
--adminpass=Mysamba4 --dns-backend=SAMBA_INTERNAL --server-role=dc
--function-level=2003 --use-xattr=yes --realm=SAMBA4.LAN
> 
> The output is the same as above.
> 
> Always Lowest function level of a DC: (Windows) 2008 R2
> 
> Stuart
Hi Stuart
The answer to your thread question is, 'no'.
This is because the schema which is supplied for use with samba4 is the
same schema that the smaba team battled with microsoft to release back a
few years back. It was the 2008R2 schema which has full support for
rfc2307. The domain level have always puzzled me too, but we've alsways
been satisfied with. The rfc2307 provision simply adds the schema
extension for sfu which was mysteriously missing. All this does is to
activate the unix tab on ADUC. On Linux with samba-tool and ldbmodify,
you don't need it. But as it seems to do no harm, you may as well have
it anyway. I don't know how it slipped through in the first place
although I guess that m$ may have had something to do with it. 
Cheers,
Steve