Virgo Pärna
2025-Jan-29 10:27 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
On 25.01.2025 20:44, Virgo P?rna via samba wrote:> > Exception: (21, "objectclass_attrs: attribute 'systemFlags' on entry > 'CN=Privileged Access Management Feature,CN=Optional > Features,CN=Directory Service,CN=Windows > NT,CN=Services,CN=Configuration,DC=*****' contains at least one invalid > value!") > Error encountered, aborting schema upgrade > ERROR: Failed to upgrade schema >It is really strange... Looking Sch78 from Schema-Updates.md it matches one in MicrosoftDocs github. Sch78 seems to rename "Expiring Group Membership Feature" to "Privileged Access Management Feature". If I understand it correctly... first, old value is made renamable, it has: # FLAG_ALLOW_RENAME 0x400000 systemFlags: 1073741824 Although 1073741824 is 0x4000 0000, not 0x40 0000 Then rename is done and then systemFlags is set again to 2348810240 and that fails with "Invalid attribute syntax". Strangely in debug log ldb:acl_rename line does not have following DSDB Change line. -- Virgo P?rna virgo.parna at mail.ee
Rowland Penny
2025-Jan-29 15:07 UTC
[Samba] Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
On Wed, 29 Jan 2025 12:27:31 +0200 Virgo P?rna via samba <samba at lists.samba.org> wrote:> On 25.01.2025 20:44, Virgo P?rna via samba wrote: > > > > Exception: (21, "objectclass_attrs: attribute 'systemFlags' on > > entry 'CN=Privileged Access Management Feature,CN=Optional > > Features,CN=Directory Service,CN=Windows > > NT,CN=Services,CN=Configuration,DC=*****' contains at least one > > invalid value!") > > Error encountered, aborting schema upgrade > > ERROR: Failed to upgrade schema > > > > It is really strange... Looking Sch78 from Schema-Updates.md > it matches one in MicrosoftDocs github. > > Sch78 seems to rename "Expiring Group Membership Feature" to > "Privileged Access Management Feature". If I understand it > correctly... > > first, old value is made renamable, it has: > # FLAG_ALLOW_RENAME 0x400000 > systemFlags: 1073741824 > > Although 1073741824 is 0x4000 0000, not 0x40 0000Setting systemFlags to 1073741824 does allow the object to be renamed, so that is correct.> Then rename is done and then systemFlags is set again to 2348810240 > and that fails with "Invalid attribute syntax".That is where it appears to go wrong, but 2348810240 is computed from: FLAG_DISALLOW_DELETE 2147483648 FLAG_DOMAIN_DISALLOW_RENAME 134217728 FLAG_DOMAIN_DISALLOW_MOVE 67108864 and if you add up all the numbers, you get 2348810240, so that should be correct. Have you checked the ldif for abnormalities ? Spaces etc. My domain is running at functional level 2016, upgraded from 2008R2 when I upgraded to 4.21.0, when I checked my 'CN=Privileged Access Management Feature,CN=Optional .......' DN, I found that the systemFlags attribute is set to '-1946157056', which, as far as I can see, is 'no changes allowed', I have no idea how it was set to that. Have you tried adding '-d10' to the 'samba-tool domain join' command to see if any further error messages are printed ? Rowland
Possibly Parallel Threads
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in
- Windows 11 24H2, Samba 4.21.3 AD DC and domain users cannot log in