On Thu, 2016-07-07 at 16:13 -0400, Jason Waters wrote:> So I joined with samba's internal DNS, then converted to BIND, then > tested. Seems like it was working. I forced the 2003 machine out, > cleaned > up the meta data and everything seemed to be working ok. So I raised > the > domain level like this > > samba-tool domain level raise > samba-tool domain level raise --domain-level=2008_R2 > samba-tool domain level raise --forest-level=2008_R2 > > everything shows as 2008_R2 > > so now I think I'm making progress. I spin up another linux box, get > it > ready to join, starts to join, then fails > > says LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <0000200A: > objectclass_attrs: > attribute 'msDS-SupportedEncryptionTypes' on entry 'CN=DC04,OU=Domain > Controllers,DC=example,DC=local' was not found in the schema > > so I thought well I'm going to try having a windows 2008 r2 server > join as > a DC, run dcpromo and it says I need to run /forestprep on the AD. > Well I > can't do that now that it is on linux right?Correct. Currently nobody has coded the magic to allow us to upgrade a schema in Samba, and dbcheck can't help with that at the moment either. The cleanest option would be to do it before joining Samba to the 2003 domain with the MS tools. We really should have a minimum schema level check on the FL raise code (bugs welcome). Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
So you are saying samba-tool domain level raise --forest-level=2008_R2 does nothing with the schema, just changes the value that is returned when doing samba-tool domain level show? If that is the case I think it would be nice to put something like that on the wiki page about raising the functional level! I spent a ton of time trying to go from Windows 2003 directly to samba. Granted learned a ton about AD along the way but I think showing the clear paths to samba from windows would make the transition easier. So if samba at some point supports AD's 2012 schema will we need to join 2012 as a DC upgrade, move the fsmo roles to the 2012 machine running the 2008_R2 schema, upgrade the schema and then wait until the changes sync and then move the fsmo roles back? Either that or actually upgrade the schema? Thanks for letting me and the community know. Jason On Tue, Jul 12, 2016 at 6:31 AM, Andrew Bartlett <abartlet at samba.org> wrote:> On Thu, 2016-07-07 at 16:13 -0400, Jason Waters wrote: > > So I joined with samba's internal DNS, then converted to BIND, then > > tested. Seems like it was working. I forced the 2003 machine out, > > cleaned > > up the meta data and everything seemed to be working ok. So I raised > > the > > domain level like this > > > > samba-tool domain level raise > > samba-tool domain level raise --domain-level=2008_R2 > > samba-tool domain level raise --forest-level=2008_R2 > > > > everything shows as 2008_R2 > > > > so now I think I'm making progress. I spin up another linux box, get > > it > > ready to join, starts to join, then fails > > > > says LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <0000200A: > > objectclass_attrs: > > attribute 'msDS-SupportedEncryptionTypes' on entry 'CN=DC04,OU=Domain > > Controllers,DC=example,DC=local' was not found in the schema > > > > so I thought well I'm going to try having a windows 2008 r2 server > > join as > > a DC, run dcpromo and it says I need to run /forestprep on the AD. > > Well I > > can't do that now that it is on linux right? > > Correct. Currently nobody has coded the magic to allow us to upgrade a > schema in Samba, and dbcheck can't help with that at the moment either. > The cleanest option would be to do it before joining Samba to the 2003 > domain with the MS tools. We really should have a minimum schema level > check on the FL raise code (bugs welcome). > Sorry, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > >
On Tue, 2016-07-12 at 08:07 -0400, Jason Waters wrote:> So you are saying samba-tool domain level raise --forest > -level=2008_R2 does nothing with the schema, just changes the value > that is returned when doing samba-tool domain level show?Yes.> If that is the case I think it would be nice to put something like > that on the wiki page about raising the functional level! I spent a > ton of time trying to go from Windows 2003 directly to samba. > Granted learned a ton about AD along the way but I think showing the > clear paths to samba from windows would make the transition easier. > > So if samba at some point supports AD's 2012 schema will we need to > join 2012 as a DC upgrade, move the fsmo roles to the 2012 machine > running the 2008_R2 schema, upgrade the schema and then wait until > the changes sync and then move the fsmo roles back? Either that or > actually upgrade the schema?Currently Win2012R2 fails to join Samba as a DC. I realise this puts you between a rock and a hard place, but the focus in recent times has not been on working with Windows as a DC, and the changes with 2012 have caught us out. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba