samba - Oct 2023 - Linux/Windows Domain Controller

Am 18.10.23 um 23:27 schrieb Matti Kaupenjohann via
samba:
> Yes I've red this section and the docu is saying no FL above 2008.
Might
> be caused by incompleted docu? So far I understand if we don't use
>4.19
> we will not be able to use FL 2016 which is necessary since our DC WIN22 
> is configured as FL2016?
Yes you MUST usee 4.19 ;-)
> 
> On 18.10.23 19:10, Stefan Kania via samba wrote:
>> If you take a look at:
>>
>> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility
>>
>> You will find your error message. I think your domain is running with 
>> FL 2012 and you are using a samba version < 4.19. So you can only go
>> up to FL 2008_R2. The new 4.19 is the first version supporting FL 
>> >2008_R2. There you can go up to FL 2016.
>>
>>
>> Am 18.10.23 um 18:05 schrieb matti.kaupenjohann via samba:
>>> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
>>> 'WERR_DS_INCOMPATIBLE_VERSION')
>>
>>
> 
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre 
Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter 
https://www.dgn.de/dgncert/index.html
Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html

Neuer GPG-Key der public key befindet sich im Anhang


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20231019/c3ad08a9/OpenPGP_signature.sig>

So. I've builded 4.19.2 from source. building worked fine and I've 
configured like the following:

./configure \
 ?? ?--sbindir=/usr/local/sbin \
 ?? ?--bindir=/usr/local/bin \
 ?? ?--sysconfdir=/etc/samba \
 ?? ?--mandir=/usr/share/man \
 ?? ?--systemd-install-services \
 ?? ?--with-systemddir=/lib/systemd/system \
 ?? ?--enable-selftest \
 ?? ?--disable-cups

I ran make quicktest with no resulting issues.

I generated a ticket with kinit administrator which worked as expected.

Afterwards I tried to join the domain with:

samba-tool domain join mydomain.special.de DC
-U"mydomain\administrator"

Which resulted in the foloowing already known error:

INFO 2023-10-25 11:56:33,488 pid:403032 
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #106: 
Finding a writeable DC for domain 'mydomain.special.de'
INFO 2023-10-25 11:56:33,505 pid:403032 
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #108: Found 
DC dc02.mydomain.special.de
Password for [MYDOMAIN\administrator]:
INFO 2023-10-25 11:56:41,616 pid:403032 
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #1614: 
workgroup is MYDOMAIN
INFO 2023-10-25 11:56:41,617 pid:403032 
/usr/local/samba/lib/python3.10/site-packages/samba/join.py #1617: realm 
is mydomain.special.de
Adding CN=DC03,OU=Domain Controllers,DC=mydomain,DC=special,DC=de
Adding 
CN=DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=special,DC=de
Adding CN=NTDS 
Settings,CN=DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=special,DC=de
DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, 
'WERR_DS_INCOMPATIBLE_VERSION')
Join failed - cleaning up
Deleted CN=DC03,OU=Domain Controllers,DC=mydomain,DC=special,DC=de
Deleted 
CN=DC03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=special,DC=de
ERROR(runtime): uncaught exception - DsAddEntry failed
 ??? File 
"/usr/local/samba/lib/python3.10/site-packages/samba/netcmd/__init__.py",
line 279, in _run
 ??? ??? return self.run(*args, **kwargs)
 ??? File 
"/usr/local/samba/lib/python3.10/site-packages/samba/netcmd/domain/join.py",
line 128, in run
 ??? ??? join_DC(logger=logger, server=server, creds=creds, lp=lp, 
domain=domain,
 ??? File
"/usr/local/samba/lib/python3.10/site-packages/samba/join.py",
line 1630, in join_DC
 ??? ??? ctx.do_join()
 ??? File
"/usr/local/samba/lib/python3.10/site-packages/samba/join.py",
line 1518, in do_join
 ??? ??? ctx.join_add_objects()
 ??? File
"/usr/local/samba/lib/python3.10/site-packages/samba/join.py",
line 673, in join_add_objects
 ??? ??? ctx.join_add_ntdsdsa()
 ??? File
"/usr/local/samba/lib/python3.10/site-packages/samba/join.py",
line 598, in join_add_ntdsdsa
 ??? ??? ctx.DsAddEntry([rec])
 ??? File
"/usr/local/samba/lib/python3.10/site-packages/samba/join.py",
line 534, in DsAddEntry
 ??? ??? raise RuntimeError("DsAddEntry failed")

Seems from my position still be an issue with functional level 2016. Do 
I need to configure differently?
Further I am curious about the systemd service flag. The created and 
installed services doesn't uses as exec samba -D instead it uses samba 
--foreground.

Am 10/19/23 um 10:39 schrieb Stefan Kania via samba:
>
>
> Am 18.10.23 um 23:27 schrieb Matti Kaupenjohann via samba:
>> Yes I've red this section and the docu is saying no FL above 2008. 
>> Might be caused by incompleted docu? So far I understand if we
don't
>> use >4.19 we will not be able to use FL 2016 which is necessary
since
>> our DC WIN22 is configured as FL2016?
>
> Yes you MUST usee 4.19 ;-)
>
>>
>> On 18.10.23 19:10, Stefan Kania via samba wrote:
>>> If you take a look at:
>>>
>>> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility
>>>
>>> You will find your error message. I think your domain is running 
>>> with FL 2012 and you are using a samba version < 4.19. So you
can
>>> only go up to FL 2008_R2. The new 4.19 is the first version 
>>> supporting FL >2008_R2. There you can go up to FL 2016.
>>>
>>>
>>> Am 18.10.23 um 18:05 schrieb matti.kaupenjohann via samba:
>>>> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
>>>> 'WERR_DS_INCOMPATIBLE_VERSION')
>>>
>>>
>>
>
>
-- 

Mit freundlichen Gr??en

Matti Kaupenjohann

Fachhochschule Dortmund
University of Applied Sciences and Arts

*Kaupenjohann, Matti*
FB Informationstechnik,

Sonnenstra?e 96 - 44139 Dortmund
Raum SON-A A701.4
Tel???? 0231 9112 9190
matti.kaupenjohann at fh-dortmund.de
www.fh-dortmund.de

Think before you print!