samba - Apr 2024 - SAMBA 4.20 - function level upgrade

Thanks for getting back to me.  Sadly I've not had the time today to
attempt the reproduction. 
Can you, just to save me time, double-check if this happens on a server
with the Samba 4.20 being a just from-our-tarball Samba and show the
logs that gives?
Thanks,
Andrew Bartlett
On Wed, 2024-04-10 at 10:04 +0000, Tom?? Havl?n via samba
wrote:
> HelloI will try give you best answer what I can.
> - alma linux 9, fresh installation, for testing only in virtualbox-
> packages from Sernet, installad via YUM from oficial repo- installed
> version 4.18 (same on original linux)- moved backup from original
> server, /var/lib/samba + /etc/krb, /etc/default/samba, /etc/samba-
> original domain created if I remember on 4.15 or 4.16, then schema
> upgrade to 2012, on 4.18- upgraded to version 4.20
> 
> thank youTHAV
> 
> ------ P?vodn? zpr?va ------Od "Andrew Bartlett via samba" <
> samba at lists.samba.org>Komu "Tom?? Havl?n" <thavlin at
spel.cz>; "Tom??
> Havl?n via samba" <samba at lists.samba.org>Datum 10.04.2024
> 10:54:55P?edm?t Re: [Samba] SAMBA 4.20 - function level upgrade
> > Thanks for the extra details.  I do intend to dig into this for
> > you, itis very strange, but to do that I need some more details:Can
> > I get (again, if I've missed it) a history of this domain
> > (whatversion did you start with, what schema upgrades have happened
> > in thepast) so I can try and reproduce?Also, can you confirm where
> > you got your Samba package, if there areany other bits of any Samba
> > version on your system, and the details forthe sources of that
> > package.The reason I ask is that things in the logs just don't
line
> > up withwhat I see in the git tag.For example, not only do the
> > resolve_oids.c references look odd, I justcan't see how Samba
> > 4.20.0 can print this line:dsdb_schema_set_el_from_ldb_msg_dups()
> > WERR_INVALID_PARAMETERThanks,Andrew BartlettOn Tue, 2024-04-09 at
> > 08:05 +0000, Tom?? Havl?n wrote:
> > >  Hello, samba-tool domain level showForest function level:
> > > (Windows) 2012 R2 Domain function level: (Windows) 2012 R2 Lowest
> > > function level of a DC: (Windows) 2016
> > >  samba 4.20.0-2 smb.confad dc functional level = 2016
> > >
https://wiki.samba.org/index.php/Samba_Features_added/changed#NEW_FEATURES/CHANGESsection
> > > AD DC support for Authentication Silos and Authentication
> > > Policies direcly copied from console[root at vorvan ~]#
samba-tool
> > > domain schemaupgrade --schema=2019 Temporarily overriding
> > > 'dsdb:schema update allowed' setting Applying Sch70.ldf
> > > updates... Unable to find attribute msDS-DeviceMDMStatus in the
> > > schema 5 changes applied Applying Sch71.ldf updates... 7 changes
> > > applied Applying Sch72.ldf updates... 5 changes applied Applying
> > > Sch73.ldf updates... 5 changes applied Applying Sch74.ldf
> > > updates... ../../source4/dsdb/schema/schema_init.c:816: name
=> > > NULL in CN=ms- DS-Key-
> > > Credential,CN=Schema,CN=Configuration,DC=raisa,DC=intra
> > > dsdb_schema_set_el_from_ldb_msg_dups() WERR_INVALID_PARAMETER
> > > Exception: (1, 'operations error at
> > > ../../source4/dsdb/samdb/ldb_modules/resolve_oids.c:674')
> > > Encountered while trying to apply the following LDIF ------------
> > > ---------------------------------------- dn: CN=ms-DS-Key-
> > > Credential,CN=Schema,CN=Configuration,DC=raisa,DC=intra
> > > changetype: add objectClass: classSchema ldapDisplayName: msDS-
> > > KeyCredential adminDisplayName: msDS-KeyCredential
> > > adminDescription: An instance of this class contains key
> > > material. governsId: 1.2.840.113556.1.5.297 objectClassCategory:
> > > 1 rdnAttId: cn schemaIdGuid:: Q1Uf7i58akeLP+EfSvbEmA=> >
> defaultSecurityDescriptor:
> > > D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOW
> > > DSDD TSW;;;SY) defaultHidingValue: FALSE showInAdvancedViewOnly:
> > > TRUE systemOnly: FALSE systemFlags: 16 instanceType: 4
> > > subClassOf: top systemPossSuperiors: container systemMustContain:
> > > 1.2.840.113556.1.4.2315 systemMayContain: msDS-KeyMaterial
> > > systemMayContain: msDS-KeyUsage systemMayContain: msDS-
> > > KeyPrincipal systemMayContain: msDS-DeviceDN systemMayContain:
> > > msDS-ComputerSID systemMayContain: msDS-CustomKeyInformation
> > > systemMayContain: msDS-KeyApproximateLastLogonTimeStamp
> > >  Exception: (1, 'operations error at
> > > ../../source4/dsdb/samdb/ldb_modules/resolve_oids.c:674')
Error
> > > encountered, aborting schema upgrade ERROR: Failed to upgrade
> > > schema
> > >  thank youTHAV
> > > 
> > > 
> > > 
> > > 
> > >  ------ P?vodn? zpr?va ------
> > >  Od "Andrew Bartlett" <abartlet at samba.org>
> > >  Komu "Tom?? Havl?n" <thavlin at spel.cz>;
"Tom?? Havl?n via samba"
> > > <samba at lists.samba.org>
> > >  Datum 09.04.2024 9:45:00
> > >  P?edm?t Re: Re[2]: [Samba] SAMBA 4.20 - function level upgrade
> > >  > On Mon, 2024-04-08 at 08:03 +0000, Tom?? Havl?n wrote: >
>
> > > Hello, > > I am sorry for my answer. I have already
upgraded
> > > level domain > > and > > forest level 2012_R2 and
function level
> > > to 2016 via ad dc > > functional > > level = 2016.
Then I tried
> > > to follow instructions from wiki to > > upgrade > >
to version of
> > > funtion level to 2016, but schema upgrade ends with > >
error > >
> > > > > > > Exception: (1, 'operations error at >
>
> > > ../../source4/dsdb/samba/ldb_modules/resolve_oids.c:674')
> >
> > > Error encountered, aborting schema upgrade > > ERROR:
Failed to
> > > upgrade schema > > Was this text copied directly from your
> > > failing host?  I ask > cecause someone has 'spell
corrected'
> > > samdb -> samba in that path, > and line 674 is empty in the
Samba
> > > 4.20.0 released sources. > > Can you please confirm the
exact
> > > command given and the version of > Samba you are running where
> > > you see this failure? > > Thanks, > > Andrew Bartlett
> > -- >
> > > Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba
> > >  > Team Member (since 2001) https://samba.orgSamba Team >
Lead >
> > > https://catalyst.net.nz/services/sambaCatalyst.Net Ltd >
Proudly
> > > developing Samba for Catalyst.Net Ltd - a Catalyst IT group >
> > > company > Samba Development and Support: > 
> > > https://catalyst.net.nz/services/samba
> > >  > Catalyst IT - Expert Open Source Solutions
> > --Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba
> > Team Member (since 2001) https://samba.orgSamba Team
> > Lead                
> > https://catalyst.net.nz/services/sambaCatalyst.Net LtdProudly
> > developing Samba for Catalyst.Net Ltd - a Catalyst IT
> > groupcompanySamba Development and Support: 
> > https://catalyst.net.nz/services/samba
> > Catalyst IT - Expert Open Source Solutions--To unsubscribe from
> > this list go to the following URL and read theinstructions:  
> > https://lists.samba.org/mailman/options/samba
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd


Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

Hello,
please check my progress

I did it on the same virtual Centos 9 to avoid posibilities of 
differencies between original and new installed linux
- backup /var/lib/samba storage
- uninstalled sernet-samba
- installed samba 4.20.0 from tar source code
- location default /usr/local/samba
- replaced files from /var/lib/samba to /usr/local/samba (to right 
location)
- started samba - done
- checked situation:
[root at vorvan etc]# samba-tool domain level show
Domain and forest function level for domain 'DC=raisa,DC=intra'
Forest function level: (Windows) 2012 R2
Domain function level: (Windows) 2012 R2
Lowest function level of a DC: (Windows) 2016
- tried to do upgrade - no errors
samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016
- checked new state
[root at vorvan etc]# samba-tool domain level show
Domain and forest function level for domain 'DC=raisa,DC=intra'
Forest function level: (Windows) 2016
Domain function level: (Windows) 2016
Lowest function level of a DC: (Windows) 2016
- and schema
[root at vorvan etc]# ldbsearch -H /usr/local/samba/private/sam.ldb -b 
'cn=Schema,cn=Configuration,dc=RAISA,dc=INTRA' -s base objectVersion
# record 1
dn: CN=Schema,CN=Configuration,DC=raisa,DC=intra
objectVersion: 88

sooo, ti looks like troubles with sernet packages

regards
THAV





------ P?vodn? zpr?va ------
Od "Andrew Bartlett via samba" <samba at lists.samba.org>
Komu "Tom?? Havl?n" <thavlin at spel.cz>; "Andrew Bartlett
via samba"
<samba at lists.samba.org>
Datum 11.04.2024 7:10:36
P?edm?t Re: [Samba] SAMBA 4.20 - function level upgrade
>Thanks for getting back to me.  Sadly I've not had the time today to
>attempt the reproduction.
>Can you, just to save me time, double-check if this happens on a server
>with the Samba 4.20 being a just from-our-tarball Samba and show the
>logs that gives?
>Thanks,
>Andrew Bartlett
>On Wed, 2024-04-10 at 10:04 +0000, Tom?? Havl?n via samba wrote:
>>  HelloI will try give you best answer what I can.
>>  - alma linux 9, fresh installation, for testing only in virtualbox-
>>  packages from Sernet, installad via YUM from oficial repo- installed
>>  version 4.18 (same on original linux)- moved backup from original
>>  server, /var/lib/samba + /etc/krb, /etc/default/samba, /etc/samba-
>>  original domain created if I remember on 4.15 or 4.16, then schema
>>  upgrade to 2012, on 4.18- upgraded to version 4.20
>>
>>  thank youTHAV
>>
>>  ------ P?vodn? zpr?va ------Od "Andrew Bartlett via samba"
<
>>samba at lists.samba.org>Komu "Tom?? Havl?n" <thavlin at
spel.cz>; "Tom??
>>  Havl?n via samba" <samba at lists.samba.org>Datum
10.04.2024
>>  10:54:55P?edm?t Re: [Samba] SAMBA 4.20 - function level upgrade
>>  > Thanks for the extra details.  I do intend to dig into this for
>>  > you, itis very strange, but to do that I need some more
details:Can
>>  > I get (again, if I've missed it) a history of this domain
>>  > (whatversion did you start with, what schema upgrades have
happened
>>  > in thepast) so I can try and reproduce?Also, can you confirm
where
>>  > you got your Samba package, if there areany other bits of any
Samba
>>  > version on your system, and the details forthe sources of that
>>  > package.The reason I ask is that things in the logs just
don't line
>>  > up withwhat I see in the git tag.For example, not only do the
>>  > resolve_oids.c references look odd, I justcan't see how Samba
>>  > 4.20.0 can print this line:dsdb_schema_set_el_from_ldb_msg_dups()
>>  > WERR_INVALID_PARAMETERThanks,Andrew BartlettOn Tue, 2024-04-09 at
>>  > 08:05 +0000, Tom?? Havl?n wrote:
>>  > >  Hello, samba-tool domain level showForest function level:
>>  > > (Windows) 2012 R2 Domain function level: (Windows) 2012 R2
Lowest
>>  > > function level of a DC: (Windows) 2016
>>  > >  samba 4.20.0-2 smb.confad dc functional level = 2016
>>  > >
https://wiki.samba.org/index.php/Samba_Features_added/changed#NEW_FEATURES/CHANGESsection
>>  > > AD DC support for Authentication Silos and Authentication
>>  > > Policies direcly copied from console[root at vorvan ~]#
samba-tool
>>  > > domain schemaupgrade --schema=2019 Temporarily overriding
>>  > > 'dsdb:schema update allowed' setting Applying
Sch70.ldf
>>  > > updates... Unable to find attribute msDS-DeviceMDMStatus in
the
>>  > > schema 5 changes applied Applying Sch71.ldf updates... 7
changes
>>  > > applied Applying Sch72.ldf updates... 5 changes applied
Applying
>>  > > Sch73.ldf updates... 5 changes applied Applying Sch74.ldf
>>  > > updates... ../../source4/dsdb/schema/schema_init.c:816: name
=>>  > > NULL in CN=ms- DS-Key-
>>  > > Credential,CN=Schema,CN=Configuration,DC=raisa,DC=intra
>>  > > dsdb_schema_set_el_from_ldb_msg_dups()
WERR_INVALID_PARAMETER
>>  > > Exception: (1, 'operations error at
>>  > >
../../source4/dsdb/samdb/ldb_modules/resolve_oids.c:674')
>>  > > Encountered while trying to apply the following LDIF
------------
>>  > > ---------------------------------------- dn: CN=ms-DS-Key-
>>  > > Credential,CN=Schema,CN=Configuration,DC=raisa,DC=intra
>>  > > changetype: add objectClass: classSchema ldapDisplayName:
msDS-
>>  > > KeyCredential adminDisplayName: msDS-KeyCredential
>>  > > adminDescription: An instance of this class contains key
>>  > > material. governsId: 1.2.840.113556.1.5.297
objectClassCategory:
>>  > > 1 rdnAttId: cn schemaIdGuid::
Q1Uf7i58akeLP+EfSvbEmA=>>  > > defaultSecurityDescriptor:
>>  > >
D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;EA)(A;;RPWPCRCCDCLCLORCWOW
>>  > > DSDD TSW;;;SY) defaultHidingValue: FALSE
showInAdvancedViewOnly:
>>  > > TRUE systemOnly: FALSE systemFlags: 16 instanceType: 4
>>  > > subClassOf: top systemPossSuperiors: container
systemMustContain:
>>  > > 1.2.840.113556.1.4.2315 systemMayContain: msDS-KeyMaterial
>>  > > systemMayContain: msDS-KeyUsage systemMayContain: msDS-
>>  > > KeyPrincipal systemMayContain: msDS-DeviceDN
systemMayContain:
>>  > > msDS-ComputerSID systemMayContain: msDS-CustomKeyInformation
>>  > > systemMayContain: msDS-KeyApproximateLastLogonTimeStamp
>>  > >  Exception: (1, 'operations error at
>>  > >
../../source4/dsdb/samdb/ldb_modules/resolve_oids.c:674') Error
>>  > > encountered, aborting schema upgrade ERROR: Failed to
upgrade
>>  > > schema
>>  > >  thank youTHAV
>>  > >
>>  > >
>>  > >
>>  > >
>>  > >  ------ P?vodn? zpr?va ------
>>  > >  Od "Andrew Bartlett" <abartlet at
samba.org>
>>  > >  Komu "Tom?? Havl?n" <thavlin at spel.cz>;
"Tom?? Havl?n via samba"
>>  > > <samba at lists.samba.org>
>>  > >  Datum 09.04.2024 9:45:00
>>  > >  P?edm?t Re: Re[2]: [Samba] SAMBA 4.20 - function level
upgrade
>>  > >  > On Mon, 2024-04-08 at 08:03 +0000, Tom?? Havl?n wrote:
> >
>>  > > Hello, > > I am sorry for my answer. I have already
upgraded
>>  > > level domain > > and > > forest level 2012_R2
and function level
>>  > > to 2016 via ad dc > > functional > > level =
2016. Then I tried
>>  > > to follow instructions from wiki to > > upgrade >
> to version of
>>  > > funtion level to 2016, but schema upgrade ends with >
> error > >
>>  > > > > > > Exception: (1, 'operations error at
> >
>>  > >
../../source4/dsdb/samba/ldb_modules/resolve_oids.c:674') > >
>>  > > Error encountered, aborting schema upgrade > > ERROR:
Failed to
>>  > > upgrade schema > > Was this text copied directly from
your
>>  > > failing host?  I ask > cecause someone has 'spell
corrected'
>>  > > samdb -> samba in that path, > and line 674 is empty
in the Samba
>>  > > 4.20.0 released sources. > > Can you please confirm
the exact
>>  > > command given and the version of > Samba you are running
where
>>  > > you see this failure? > > Thanks, > > Andrew
Bartlett > > -- >
>>  > > Andrew Bartlett (he/him)      
https://samba.org/~abartlet/Samba
>>  > >  > Team Member (since 2001) https://samba.orgSamba Team
> Lead >
>>  > > https://catalyst.net.nz/services/sambaCatalyst.Net Ltd >
Proudly
>>  > > developing Samba for Catalyst.Net Ltd - a Catalyst IT group
>
>>  > > company > Samba Development and Support: >
>>  > > https://catalyst.net.nz/services/samba
>>  > >  > Catalyst IT - Expert Open Source Solutions
>>  > --Andrew Bartlett (he/him)      
https://samba.org/~abartlet/Samba
>>  > Team Member (since 2001) https://samba.orgSamba Team
>>  > Lead
>>  > https://catalyst.net.nz/services/sambaCatalyst.Net LtdProudly
>>  > developing Samba for Catalyst.Net Ltd - a Catalyst IT
>>  > groupcompanySamba Development and Support:
>>  > https://catalyst.net.nz/services/samba
>>  > Catalyst IT - Expert Open Source Solutions--To unsubscribe from
>>  > this list go to the following URL and read theinstructions:
>>  > https://lists.samba.org/mailman/options/samba
>--
>Andrew Bartlett (he/him)       https://samba.org/~abartlet/
>Samba Team Member (since 2001) https://samba.org
>Samba Team Lead                https://catalyst.net.nz/services/samba
>Catalyst.Net Ltd
>
>
>Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
>company
>
>Samba Development and Support: https://catalyst.net.nz/services/samba
>
>Catalyst IT - Expert Open Source Solutions
>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba