samba - Feb 2018 - Is it possible to lower the domain and forest functional level

Hi Andrew,

Thanks for your answer. I gave a try with 
source4/scripting/bin/samba_upgradeprovision  --full.
Of course I did it on a virtual machine clone of our dc without network
interface.

The script fails with :
../lib/ldb/ldb_tdb/ldb_index.c:1252: unique index violation on objectSid in
CN=Account Operators,CN=Builtin,DC=removed,DC=com, conficts with CN=Op?rateurs
de compte,CN=Builtin,DC=removed,DC=com in
@INDEX:OBJECTSID::AQIAAAAAAAUgAAAAJAIAAA=
So it seems to be because the account name is french and not English.
Do you know were I could find those strings to translate ?

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "Andrew Bartlett" <abartlet at samba.org>
À: "Christophe BORIVANT" <cborivant at devinlec.com>
Cc: "samba" <samba at lists.samba.org>
Envoyé: Jeudi 15 Février 2018 20:50:48
Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level

On Wed, 2018-02-14 at 11:14 +0100, Christophe Borivant
wrote:
> I don't know exactly, but there were problems with indexes ( as the
user said ).
> We did not try with the current release and our manager wants to go back to
Microsoft :-(
> Our samba version is 4.7.5.
OK, that is the current release.  The last changes targeted at
sharepoint where a couple of years ago. 
> I've been able to go one step further. We first were not able to join a
Windows 2008 R2 as a domain controller because it was asking for adprep.
> I found the missing datas in the ldap and added them. But know dcpromo
fails replicating the configuration partition.
> The most relevant error I can find in the dcpromo.log is :
While it won't currently help you upgrade to forest level 2008R2 I will
note for others that Samba 4.8 will ship with a tool to upgrade us to
2012R2 in the same way that adprep does. 

For earlier versions, this is what our upgradeprovision script was
designed for.  We don't really recommend it any more as it is quite
drastic in its operation and while tested it doesn't have the level of
tests i would like given the almost AI-like operation, but you may find
some success compared with rebuilding the domain (which ends up beingalmost the
same thing).

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Fri, 2018-02-16 at 12:43 +0100, Christophe Borivant
wrote:
> Hi Andrew,
> 
> Thanks for your answer. I gave a try with 
source4/scripting/bin/samba_upgradeprovision  --full.
> Of course I did it on a virtual machine clone of our dc without network
interface.
> 
> The script fails with :
> ../lib/ldb/ldb_tdb/ldb_index.c:1252: unique index violation on objectSid in
CN=Account Operators,CN=Builtin,DC=removed,DC=com, conficts with CN=Op?rateurs
de compte,CN=Builtin,DC=removed,DC=com in
@INDEX:OBJECTSID::AQIAAAAAAAUgAAAAJAIAAA=
Very interesting.  You can see why I don't normally suggest this tool.
> So it seems to be because the account name is french and not English.
> Do you know were I could find those strings to translate ?
You could either rename those system users back to English (for now) in
 the database, or to change the template see the files in setup/ in
your install tree. 

You would notice that skipping --full makes it less aggressive, but
perhaps not enough. 

Finally, you could use the new samba-tool domain schmeaupgrade in Samba
4.8 to try and upgrade the schema using the adprep ldif files (these
are on the web).

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

I made a try translating the group names one by one in the
setup/provision_users.ldif file.
The first groups went OK but when I translate "Incoming Forest Trust
Builders" by "Générateurs d'approbations de forêt entrante",
I get this error from the script :
Traceback (most recent call last):
  File "source4/scripting/bin/samba_upgradeprovision", line 1714, in
<module>
    schema, schemareloadclosure):
  File "source4/scripting/bin/samba_upgradeprovision", line 1360, in
update_samdb
    schema, provisionUSNs, prereloadfunc)
  File "source4/scripting/bin/samba_upgradeprovision", line 1145, in
update_partition
    add_missing_entries(ref_samdb, samdb, names, basedn, listMissing)
  File "source4/scripting/bin/samba_upgradeprovision", line 757, in
add_missing_entries
    hashMissing, index)
  File "source4/scripting/bin/samba_upgradeprovision", line 616, in
add_missing_object
    controls=["search_options:1:2"])
_ldb.LdbError: (1, 'Unable to parse search expression')

Could the "ê" be a problem or the length of the string ?

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "Andrew Bartlett" <abartlet at samba.org>
À: "Christophe BORIVANT" <cborivant at devinlec.com>
Cc: "samba" <samba at lists.samba.org>
Envoyé: Vendredi 16 Février 2018 18:49:08
Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level

On Fri, 2018-02-16 at 12:43 +0100, Christophe Borivant
wrote:
> Hi Andrew,
> 
> Thanks for your answer. I gave a try with 
source4/scripting/bin/samba_upgradeprovision  --full.
> Of course I did it on a virtual machine clone of our dc without network
interface.
> 
> The script fails with :
> ../lib/ldb/ldb_tdb/ldb_index.c:1252: unique index violation on objectSid in
CN=Account Operators,CN=Builtin,DC=removed,DC=com, conficts with CN=Op?rateurs
de compte,CN=Builtin,DC=removed,DC=com in
@INDEX:OBJECTSID::AQIAAAAAAAUgAAAAJAIAAA=
Very interesting.  You can see why I don't normally suggest this tool.
> So it seems to be because the account name is french and not English.
> Do you know were I could find those strings to translate ?
You could either rename those system users back to English (for now) in
 the database, or to change the template see the files in setup/ in
your install tree. 

You would notice that skipping --full makes it less aggressive, but
perhaps not enough. 

Finally, you could use the new samba-tool domain schmeaupgrade in Samba
4.8 to try and upgrade the schema using the adprep ldif files (these
are on the web).

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba