samba - Jun 2019 - Error determinigng PSOs in system [SEC=UNOFFICIAL]

UNOFFICIAL
Hi

Today I demoted the temporary DC (Julius) on my network.

The demotion failed.

Failed to confirm we are not an RODC ... cannot find attribute msDS-isRODC

So I shutdown Julius and forced the demotion.

The domain seems stable until I tried LDAP authentication which fails.

The samba log says:

Error 32 determining PSOs in system.

I can't seem to find anything on this error.

Any idea how I fix this?

I cloned the disks on both DCs before demotion, so I can just go back. Should I?

Cheers
Russell

On Mon, 2019-06-24 at 07:12 +0000, Thamm, Russell via samba
wrote:
> UNOFFICIAL
> Hi
> 
> Today I demoted the temporary DC (Julius) on my network.
> 
> The demotion failed.
> 
> Failed to confirm we are not an RODC ... cannot find attribute msDS-
> isRODC
> 
> So I shutdown Julius and forced the demotion.
> 
> The domain seems stable until I tried LDAP authentication which
> fails.
> 
> The samba log says:
> 
> Error 32 determining PSOs in system.
> 
> I can't seem to find anything on this error.
> 
> Any idea how I fix this?
> 
> I cloned the disks on both DCs before demotion, so I can just go
> back. Should I?
sorry about that.  The issue is that Samba expects a container for
PSOs, but that is a newer AD feature and your 2003 server never created
it.

the container is:
CN=Password Settings Container,CN=System,$DOMAIN_DN

The code should cope with 32 (no such object) as very good proof there
are no PSOs. 

This isn't an issue upgrading pure Samba domains (everything since
before 4.0.0 has this) but windows of course is older.

Options include fixing the code (please file a bug and hopefully Tim
can look at it) and creating the missing container.  The template Samba
uses is pretty simple:

+dn: CN=Password Settings Container,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: msDS-PasswordSettingsContainer
+systemFlags: -1946157056
+

The final option is to use a Samba version from before PSOs were
implemented, which would be 4.8 I think, but that isn't a long-term
option.

I hope this helps!

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

On 24/06/19 9:00 PM, Andrew Bartlett wrote:
> On Mon, 2019-06-24 at 07:12 +0000, Thamm, Russell via samba wrote:
>> The domain seems stable until I tried LDAP authentication which
>> fails.
>>
>> The samba log says:
>>
>> Error 32 determining PSOs in system.
>>
>> I can't seem to find anything on this error.
>>
>> Any idea how I fix this?
> sorry about that.  The issue is that Samba expects a container for
> PSOs, but that is a newer AD feature and your 2003 server never created
> it.
>
> the container is:
> CN=Password Settings Container,CN=System,$DOMAIN_DN
>
> The code should cope with 32 (no such object) as very good proof there
> are no PSOs. 
>
> This isn't an issue upgrading pure Samba domains (everything since
> before 4.0.0 has this) but windows of course is older.
>
> Options include fixing the code (please file a bug and hopefully Tim
> can look at it) and creating the missing container.  The template Samba
> uses is pretty simple:
>
> +dn: CN=Password Settings Container,CN=System,${DOMAINDN}
> +objectClass: top
> +objectClass: msDS-PasswordSettingsContainer
> +systemFlags: -1946157056
> +
>
> The final option is to use a Samba version from before PSOs were
> implemented, which would be 4.8 I think, but that isn't a long-term
> option.
>
>
I've raised a bug for this:
https://bugzilla.samba.org/show_bug.cgi?id=14008 and I'm just working on
a fix.

Creating the Password Settings Container manually is probably the
simplest workaround in the meantime.

Just a note to others: I think this problem only occurs if the domain DB
was created based on a pre-2008 schema, and then you later manually
raise the functional-level to 2008 or greater.