On 23 April 2013 16:43, Pekka L.J. Jalkanen <pekka.jalka...@vihreat.fi> wrote: > Nothing. It just works. I can even explicitly change it to point to the > Samba 4 DC and it still works. > > It is just Vista and newer RSATs that are the problem. And they also > work just fine as long as the selected DC is the W2k3R2 DC...
Perhaps you could get a packet capture of the newer RSAT against the Windows DC and another one against the Samba DC and attach them to a bug report. > Pekka L.J. Jalkanen > > > On 23.4.2013 16:39, Hisham Attar wrote: >> What does it say when you browse domain controllers OU for that DC using >> the Ad users and computers snapin on the win2k3 dc? >> >> >> On Tue, Apr 23, 2013 at 11:25 PM, Pekka L.J. Jalkanen >> <pekka.jalka...@vihreat.fi <mailto:pekka.jalka...@vihreat.fi>> wrote: >> >> Raising the functional level above 2003 doesn't sound like a good plan >> as long as we still have to keep the Windows 2003 DC around. I don't >> know about Samba, but RSAT wouldn't even let me do that. >> >> Also note that it is the Windows DC (CN=W2K3R2DC) that doesn't have this >> attribute. >> >> I figured out that I should be able to download MS's adprep tools by >> subscribing to Windows 2008 R2 trial. If nobody has better ideas I'll >> just do that, and then try to run the various adprep commands. If Samba >> truly functions like the 2008 R2, then these tools actually should've >> been run anyway before adding Samba DCs to 2003 domains (see that >> Technet article again). >> >> I really hope that the version of Windows Samba mimics would be better >> documented, though... obviously none of this is a problem in a pure >> Samba 4 environment, but many organisations migrating from Windows to >> Samba are definitely not going to do so overnight, so the different DCs >> must co-exist for quite some time. Also, people are most likely going to >> run various different RSAT versions, so the compatibility of those is an >> important factor, too. >> >> >> Pekka L.J. Jalkanen >> >> >> On 23.4.2013 0:29, Hisham Attar wrote: >> > That attribute is a 2008+ schema attribute, as far as I was aware when >> > you provision with Samba your DC functionality is at 2008 R2 but >> > forest/domain is at 2003 and can be raised to 2008 R2 try samba-tool >> > domain level raise --domain 2008_R2 --forest 2008_R2 maybe that >> will add >> > the attribute to the schema. >> > >> > >> > On Tue, Apr 23, 2013 at 4:43 AM, Pekka L.J. Jalkanen >> > <pekka.jalka...@vihreat.fi <mailto:pekka.jalka...@vihreat.fi> >> <mailto:pekka.jalka...@vihreat.fi >> <mailto:pekka.jalka...@vihreat.fi>>> wrote: >> > >> > Hello, >> > >> > We have two DCs. One runs Windows 2003 R2, and the other Samba >> 4.0.5. >> > Forest functional level is Windows 2000 native. >> > >> > I recently demoted (worked flawlessy now, which was a great >> relief), >> > rebuilt and re-promoted my Samba 4 DC, as my problems that I >> posted to >> > this list about two monts were still unresolved (see >> > >> https://lists.samba.org/archive/samba/2013-February/171898.html), and I >> > thoght that I might as well give it a shot. >> > >> > And yes, it all seems to work now. (I even got the rfc2307 uid/gid >> > support working, finally! Doesn't matter a lot on a DC-only >> box, but >> > still.) >> > >> > Everything, this far, except one thing: if >> > 1. RSAT, specifically one shipped with Windows Vista or newer >> (older >> > tools do not seem to be affected) is used to manage the domain, >> > 2. Samba 4 DC is the domain controller that RSAT's AD User and >> Computers >> > console connects to, and >> > 3. one clicks the "Domain Controllers" OU in the tree >> > >> > then the following error message will result: >> > >> > "Data from Domain Controllers is not available from Domain >> Controller >> > SAMBA4DC.mydomain.site because: An operations error occurred. >> Try again >> > later, or choose another DC by selecting Connect to Domain >> Controller on >> > the Domain context menu." >> > >> > At the same time the following is written to log.samba: >> > >> > "[2013/04/17 18:03:24, 0] >> > ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug) >> > ldb: acl_read: CN=W2K3R2DC,OU=Domain >> Controllers,DC=mydomain,DC=site >> > cannot find attr[msDS-isRODC] in of schema >> > >> > If the RSAT's AD Users & Computers console is deliberately >> changed to >> > use our Windows DC, the problem disappears. The console reports DC >> > version for the domain controllers as W2K3 for the Windows DC >> and as W2K >> > for the Samba DC. >> > >> > Is this error expected? I find the error message in log.samba >> a bit >> > peculiar, because it talks about msDS-isRODC attribute. But >> the way I >> > see it there shouldn't even be anything RODC-related in the >> schema, as a >> > prerequisite for any RODCs is Windows 2003 forest functional >> level, and >> > even then the schema should be extended first (see >> > >> http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx >> > for Microsoft's documentation). >> > >> > Because Samba doesn't really seem to support Windows 2000 >> functional >> > level properly anymore (samba-tool domain level just showed the >> > following error: "ERROR: Could not retrieve the actual domain, >> forest >> > level and/or lowest DC function level!"), and we no longer had >> real >> > reasons to stick to that, I tried to promote the forest. >> > >> > Now that failed too, and I had to demote Samba (so that >> Windows doesn't >> > think it is just a W2k box), raise forest level on Windows, >> and then >> > purge Samba's config and re-join it. (Simply running >> "samba-tool domain >> > dcpromo" doesn't work either--it just gives an error "Account >> SAMBA4DC$ >> > appears to be an active DC, use 'samba-tool domain join' if >> you must >> > re-create this account".) >> > >> > But: now the forest functional level *is* Windows 2003, RSAT >> AD User & >> > Computers reports the Samba DC as W2k8 R2, and all this still >> didn't >> > affect the actual RSAT / ldb: acl_read error at all. The issue >> is still >> > reproducible! >> > >> > I don't know if running the MS adprep tool on the Windows DC >> would help >> > (see the Technet article linked above), but that tool is >> anyway only >> > shipped with Windows 2008, and I don't have that. >> > >> > Should I file a bug? Or is this error expected? Any experiences by >> > people who regularly run newer RSATs? What about those that >> also have >> > Windows DCs, like me? >> > >> > Thanks, >> > >> > Pekka L.J. Jalkanen >> > >> > >> > PS. The Win 8 RSAT that I've been trying to use is actually hugely >> > problematic, because there is no way to install the Server for >> NIS tools >> > that are required for RFC2307 management, even though MS does >> claim >> > (http://support.microsoft.com/kb/2693643) that those tools are >> still >> > supported. I can't recommend it to anyone. >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> > >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- Michael Wood <esiot...@gmail.com> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba