Virgo Pärna
2025-Jan-25 18:44 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
Domain itself is really old (and dc has been same install for long time). Originally was installed as NT domain, that was upgraded to AD, when Windows dropped NT domain support. I now discovered, that there are lot of schema upgrades not done... I was able to upgrade schema to 2012 version. But after that samba-tool domain schemaupgrade --schema=2016 -v fails with Applying Sch78.ldf updates... Exception: (21, "objectclass_attrs: attribute 'systemFlags' on entry 'CN=Privileged Access Management Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=*****' contains at least one invalid value!") Encountered while trying to apply the following LDIF ---------------------------------------------------- dn: CN=Privileged Access Management Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=***** changetype: modify replace: systemFlags systemFlags: 2348810240 - Exception: (21, "objectclass_attrs: attribute 'systemFlags' on entry 'CN=Privileged Access Management Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=*****' contains at least one invalid value!") Error encountered, aborting schema upgrade ERROR: Failed to upgrade schema -- Virgo P?rna virgo.parna at mail.ee
Virgo Pärna
2025-Jan-29 10:27 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
On 25.01.2025 20:44, Virgo P?rna via samba wrote:> > Exception: (21, "objectclass_attrs: attribute 'systemFlags' on entry > 'CN=Privileged Access Management Feature,CN=Optional > Features,CN=Directory Service,CN=Windows > NT,CN=Services,CN=Configuration,DC=*****' contains at least one invalid > value!") > Error encountered, aborting schema upgrade > ERROR: Failed to upgrade schema >It is really strange... Looking Sch78 from Schema-Updates.md it matches one in MicrosoftDocs github. Sch78 seems to rename "Expiring Group Membership Feature" to "Privileged Access Management Feature". If I understand it correctly... first, old value is made renamable, it has: # FLAG_ALLOW_RENAME 0x400000 systemFlags: 1073741824 Although 1073741824 is 0x4000 0000, not 0x40 0000 Then rename is done and then systemFlags is set again to 2348810240 and that fails with "Invalid attribute syntax". Strangely in debug log ldb:acl_rename line does not have following DSDB Change line. -- Virgo P?rna virgo.parna at mail.ee