samba - Feb 2018 - Is it possible to lower the domain and forest functional level

I made a try translating the group names one by one in the
setup/provision_users.ldif file.
The first groups went OK but when I translate "Incoming Forest Trust
Builders" by "Générateurs d'approbations de forêt entrante",
I get this error from the script :
Traceback (most recent call last):
  File "source4/scripting/bin/samba_upgradeprovision", line 1714, in
<module>
    schema, schemareloadclosure):
  File "source4/scripting/bin/samba_upgradeprovision", line 1360, in
update_samdb
    schema, provisionUSNs, prereloadfunc)
  File "source4/scripting/bin/samba_upgradeprovision", line 1145, in
update_partition
    add_missing_entries(ref_samdb, samdb, names, basedn, listMissing)
  File "source4/scripting/bin/samba_upgradeprovision", line 757, in
add_missing_entries
    hashMissing, index)
  File "source4/scripting/bin/samba_upgradeprovision", line 616, in
add_missing_object
    controls=["search_options:1:2"])
_ldb.LdbError: (1, 'Unable to parse search expression')

Could the "ê" be a problem or the length of the string ?

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "Andrew Bartlett" <abartlet at samba.org>
À: "Christophe BORIVANT" <cborivant at devinlec.com>
Cc: "samba" <samba at lists.samba.org>
Envoyé: Vendredi 16 Février 2018 18:49:08
Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level

On Fri, 2018-02-16 at 12:43 +0100, Christophe Borivant
wrote:
> Hi Andrew,
> 
> Thanks for your answer. I gave a try with 
source4/scripting/bin/samba_upgradeprovision  --full.
> Of course I did it on a virtual machine clone of our dc without network
interface.
> 
> The script fails with :
> ../lib/ldb/ldb_tdb/ldb_index.c:1252: unique index violation on objectSid in
CN=Account Operators,CN=Builtin,DC=removed,DC=com, conficts with CN=Op?rateurs
de compte,CN=Builtin,DC=removed,DC=com in
@INDEX:OBJECTSID::AQIAAAAAAAUgAAAAJAIAAA=
Very interesting.  You can see why I don't normally suggest this tool.
> So it seems to be because the account name is french and not English.
> Do you know were I could find those strings to translate ?
You could either rename those system users back to English (for now) in
 the database, or to change the template see the files in setup/ in
your install tree. 

You would notice that skipping --full makes it less aggressive, but
perhaps not enough. 

Finally, you could use the new samba-tool domain schmeaupgrade in Samba
4.8 to try and upgrade the schema using the adprep ldif files (these
are on the web).

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Mon, 2018-02-19 at 19:07 +0100, Christophe Borivant
wrote:
> I made a try translating the group names one by one in the
setup/provision_users.ldif file.
> The first groups went OK but when I translate "Incoming Forest Trust
Builders" by "Générateurs d'approbations de forêt entrante",
> I get this error from the script :
> Traceback (most recent call last):
>   File "source4/scripting/bin/samba_upgradeprovision", line 1714,
in <module>
>     schema, schemareloadclosure):
>   File "source4/scripting/bin/samba_upgradeprovision", line 1360,
in update_samdb
>     schema, provisionUSNs, prereloadfunc)
>   File "source4/scripting/bin/samba_upgradeprovision", line 1145,
in update_partition
>     add_missing_entries(ref_samdb, samdb, names, basedn, listMissing)
>   File "source4/scripting/bin/samba_upgradeprovision", line 757,
in add_missing_entries
>     hashMissing, index)
>   File "source4/scripting/bin/samba_upgradeprovision", line 616,
in add_missing_object
>     controls=["search_options:1:2"])
> _ldb.LdbError: (1, 'Unable to parse search expression')
> 
> Could the "ê" be a problem or the length of the string ?
The issue is that this script was never tested with non-ascii names. 
Each instance of 

"(distinguishedName=%s) % user_dn

 in the script needs to be updated to be:

"(distinguishedName=%s)" % ldb.binary_encode(user_dn)

Sorry,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Am Montag, 19. Februar 2018, 19:07:12 CET schrieb Christophe Borivant 
via samba:
> I made a try translating the group names one by one in the
> setup/provision_users.ldif file. The first groups went OK but when I
> translate "Incoming Forest Trust Builders" by "Générateurs
> d'approbations de forêt entrante", I get this error from the
script :
> Traceback (most recent call last):
>   File "source4/scripting/bin/samba_upgradeprovision", line 1714,
in
> <module> schema, schemareloadclosure):
>   File "source4/scripting/bin/samba_upgradeprovision", line 1360,
in
> update_samdb schema, provisionUSNs, prereloadfunc)
>   File "source4/scripting/bin/samba_upgradeprovision", line 1145,
in
> update_partition add_missing_entries(ref_samdb, samdb, names, 
basedn,
> listMissing) File "source4/scripting/bin/samba_upgradeprovision",
> line 757, in add_missing_entries hashMissing, index)
>   File "source4/scripting/bin/samba_upgradeprovision", line 616,
in
> add_missing_object controls=["search_options:1:2"])
> _ldb.LdbError: (1, 'Unable to parse search expression')
> 
> Could the "ê" be a problem or the length of the string ?
Yes and no.
Ldap in general can not store extented characters. One may use base64 
encoding, i.e.

$ echo "Générateurs d'approbations de forêt entrante" |base64 
R8OpbsOpcmF0ZXVycyBkJ2FwcHJvYmF0aW9ucyBkZSBmb3LDqnQgZW50cmF
udGUK

Your delimeter in ldif files is then a double colon.

Name: Incoming Forest Trust Builders
become
Name:: 
R8OpbsOpcmF0ZXVycyBkJ2FwcHJvYmF0aW9ucyBkZSBmb3LDqnQgZW50cmF
udGUK

$ echo 
R8OpbsOpcmF0ZXVycyBkJ2FwcHJvYmF0aW9ucyBkZSBmb3LDqnQgZW50cmF
udGUK |base64 -d
Générateurs d'approbations de forêt entrante

I do not know if this works with AD and/or Samba and the used tools and 
libs. Their are some other ways to deal with non-ascii characters.

-- 

Harry Jede

Hi Andrew,

Thanks to your input, I've been able to run the samba_upgradeprovision
script.
But the full oprion fails with :

Creating a reference provision
WARNING: no network interfaces found
No IPv4 address will be assigned
WARNING: no network interfaces found
No IPv6 address will be assigned
Update base samdb by searching difference with reference one
Starting update of samdb
There are 125 missing objects
Reloading a merged schema, which might trigger reindexing so please be patient
Unable to convert 1.3.6.1.4.1.11.1.3.1.1.5 to an attid, and
can_change_pfm=false!
../source4/dsdb/schema/schema_init.c:669: 'followReferrals': unable to
map attributeID 1.3.6.1.4.1.11.1.3.1.1.5: WERR_NOT_FOUND
Exception during upgrade of samdb:
Traceback (most recent call last):
  File "./source4/scripting/bin/samba_upgradeprovision", line 1150, in
update_partition
    reload_full_schema(samdb, names)
  File "./source4/scripting/bin/samba_upgradeprovision", line 1073, in
reload_full_schema
    dsdb._dsdb_set_schema_from_ldif(samdb, prefixmap_ldif, schema_ldif,
schemadn)
WERRORError: (1168, 'WERR_NOT_FOUND')
Update failed
Rolling back all changes. Check the cause of the problem
Your system is as it was before the upgrade

This attribute comes from an extension for HP-UX (ldapux) which allows me to
identify my HPUX users.
I also have other attributes coming from the deprecated MSFU3.5 but We don't
use those attributes anymore.

Do you think the samba_upgradeprovision without --full option would be enough ?
I don't really uderstand the difference between with and without this
option.

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "Andrew Bartlett" <abartlet at samba.org>
À: "Christophe BORIVANT" <cborivant at devinlec.com>
Cc: "samba" <samba at lists.samba.org>
Envoyé: Lundi 19 Février 2018 19:52:09
Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level

On Mon, 2018-02-19 at 19:07 +0100, Christophe Borivant
wrote:
> I made a try translating the group names one by one in the
setup/provision_users.ldif file.
> The first groups went OK but when I translate "Incoming Forest Trust
Builders" by "Générateurs d'approbations de forêt entrante",
> I get this error from the script :
> Traceback (most recent call last):
>   File "source4/scripting/bin/samba_upgradeprovision", line 1714,
in <module>
>     schema, schemareloadclosure):
>   File "source4/scripting/bin/samba_upgradeprovision", line 1360,
in update_samdb
>     schema, provisionUSNs, prereloadfunc)
>   File "source4/scripting/bin/samba_upgradeprovision", line 1145,
in update_partition
>     add_missing_entries(ref_samdb, samdb, names, basedn, listMissing)
>   File "source4/scripting/bin/samba_upgradeprovision", line 757,
in add_missing_entries
>     hashMissing, index)
>   File "source4/scripting/bin/samba_upgradeprovision", line 616,
in add_missing_object
>     controls=["search_options:1:2"])
> _ldb.LdbError: (1, 'Unable to parse search expression')
> 
> Could the "ê" be a problem or the length of the string ?
The issue is that this script was never tested with non-ascii names. 
Each instance of 

"(distinguishedName=%s) % user_dn

 in the script needs to be updated to be:

"(distinguishedName=%s)" % ldb.binary_encode(user_dn)

Sorry,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba