By the way, is a kerberos keytab actually necessary to decrypt the GSS-API packets in Wireshark? Samba Wiki (https://wiki.samba.org/index.php/Capture_Packets) doesn't say so (just tells to capture the kerberos exchange), but I became somewhat suspicious, while reading the following page: http://wiki.wireshark.org/Kerberos
Just trying to figure out how to inspect my own capture here... Pekka L.J. Jalkanen On 24.4.2013 17:18, Pekka L.J. Jalkanen wrote: > On 23.4.2013 19:24, Michael Wood wrote: >> On 23 April 2013 16:43, Pekka L.J. Jalkanen <pekka.jalka...@vihreat.fi> >> wrote: >>> Nothing. It just works. I can even explicitly change it to point to the >>> Samba 4 DC and it still works. >>> >>> It is just Vista and newer RSATs that are the problem. And they also >>> work just fine as long as the selected DC is the W2k3R2 DC... >> >> Perhaps you could get a packet capture of the newer RSAT against the >> Windows DC and another one against the Samba DC and attach them to a >> bug report. > > I've now filed a ticket: > https://bugzilla.samba.org/show_bug.cgi?id=9828. Hopefully this helps! > > There is only one continuous capture, as the RSAT ADUC snap-in always > seems to connect to the Windows DC first anyway (I assume that this is > due to the operations master roles, because all the krb5 tickets are > actually issued by the Samba DC), so if I'd try to purge krb5 tickets > in-between the tests and re-connect before switching DCs to take another > capture, it'd connect to the Windows DC anyway. But there are only three > different IPs in the capture anyway (My RSAT box and the two DCs), and > I've only captured ports 88 and 389, so it shouldn't be too hard to > follow what's happening. > > While I do think that this is a bug I also think that I'm going to test > the adprep tool anyway, as it shouldn't really damage anything... MS > says that if I were to install Windows 2008 R2 DCs, I should run it > anyway, so it really shouldn't hurt. > > > Pekka L.J. Jalkanen > > >>> On 23.4.2013 16:39, Hisham Attar wrote: >>>> What does it say when you browse domain controllers OU for that DC using >>>> the Ad users and computers snapin on the win2k3 dc? >>>> >>>> >>>> On Tue, Apr 23, 2013 at 11:25 PM, Pekka L.J. Jalkanen >>>> <pekka.jalka...@vihreat.fi <mailto:pekka.jalka...@vihreat.fi>> wrote: >>>> >>>> Raising the functional level above 2003 doesn't sound like a good plan >>>> as long as we still have to keep the Windows 2003 DC around. I don't >>>> know about Samba, but RSAT wouldn't even let me do that. >>>> >>>> Also note that it is the Windows DC (CN=W2K3R2DC) that doesn't have >>>> this >>>> attribute. >>>> >>>> I figured out that I should be able to download MS's adprep tools by >>>> subscribing to Windows 2008 R2 trial. If nobody has better ideas I'll >>>> just do that, and then try to run the various adprep commands. If Samba >>>> truly functions like the 2008 R2, then these tools actually should've >>>> been run anyway before adding Samba DCs to 2003 domains (see that >>>> Technet article again). >>>> >>>> I really hope that the version of Windows Samba mimics would be better >>>> documented, though... obviously none of this is a problem in a pure >>>> Samba 4 environment, but many organisations migrating from Windows to >>>> Samba are definitely not going to do so overnight, so the different DCs >>>> must co-exist for quite some time. Also, people are most likely going >>>> to >>>> run various different RSAT versions, so the compatibility of those is >>>> an >>>> important factor, too. >>>> >>>> >>>> Pekka L.J. Jalkanen >>>> >>>> >>>> On 23.4.2013 0:29, Hisham Attar wrote: >>>> > That attribute is a 2008+ schema attribute, as far as I was aware >>>> when >>>> > you provision with Samba your DC functionality is at 2008 R2 but >>>> > forest/domain is at 2003 and can be raised to 2008 R2 try samba-tool >>>> > domain level raise --domain 2008_R2 --forest 2008_R2 maybe that >>>> will add >>>> > the attribute to the schema. >>>> > >>>> > >>>> > On Tue, Apr 23, 2013 at 4:43 AM, Pekka L.J. Jalkanen >>>> > <pekka.jalka...@vihreat.fi <mailto:pekka.jalka...@vihreat.fi> >>>> <mailto:pekka.jalka...@vihreat.fi >>>> <mailto:pekka.jalka...@vihreat.fi>>> wrote: >>>> > >>>> > Hello, >>>> > >>>> > We have two DCs. One runs Windows 2003 R2, and the other Samba >>>> 4.0.5. >>>> > Forest functional level is Windows 2000 native. >>>> > >>>> > I recently demoted (worked flawlessy now, which was a great >>>> relief), >>>> > rebuilt and re-promoted my Samba 4 DC, as my problems that I >>>> posted to >>>> > this list about two monts were still unresolved (see >>>> > >>>> https://lists.samba.org/archive/samba/2013-February/171898.html), and I >>>> > thoght that I might as well give it a shot. >>>> > >>>> > And yes, it all seems to work now. (I even got the rfc2307 >>>> uid/gid >>>> > support working, finally! Doesn't matter a lot on a DC-only >>>> box, but >>>> > still.) >>>> > >>>> > Everything, this far, except one thing: if >>>> > 1. RSAT, specifically one shipped with Windows Vista or newer >>>> (older >>>> > tools do not seem to be affected) is used to manage the domain, >>>> > 2. Samba 4 DC is the domain controller that RSAT's AD User and >>>> Computers >>>> > console connects to, and >>>> > 3. one clicks the "Domain Controllers" OU in the tree >>>> > >>>> > then the following error message will result: >>>> > >>>> > "Data from Domain Controllers is not available from Domain >>>> Controller >>>> > SAMBA4DC.mydomain.site because: An operations error occurred. >>>> Try again >>>> > later, or choose another DC by selecting Connect to Domain >>>> Controller on >>>> > the Domain context menu." >>>> > >>>> > At the same time the following is written to log.samba: >>>> > >>>> > "[2013/04/17 18:03:24, 0] >>>> > ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug) >>>> > ldb: acl_read: CN=W2K3R2DC,OU=Domain >>>> Controllers,DC=mydomain,DC=site >>>> > cannot find attr[msDS-isRODC] in of schema >>>> > >>>> > If the RSAT's AD Users & Computers console is deliberately >>>> changed to >>>> > use our Windows DC, the problem disappears. The console reports >>>> DC >>>> > version for the domain controllers as W2K3 for the Windows DC >>>> and as W2K >>>> > for the Samba DC. >>>> > >>>> > Is this error expected? I find the error message in log.samba >>>> a bit >>>> > peculiar, because it talks about msDS-isRODC attribute. But >>>> the way I >>>> > see it there shouldn't even be anything RODC-related in the >>>> schema, as a >>>> > prerequisite for any RODCs is Windows 2003 forest functional >>>> level, and >>>> > even then the schema should be extended first (see >>>> > >>>> http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx >>>> > for Microsoft's documentation). >>>> > >>>> > Because Samba doesn't really seem to support Windows 2000 >>>> functional >>>> > level properly anymore (samba-tool domain level just showed the >>>> > following error: "ERROR: Could not retrieve the actual domain, >>>> forest >>>> > level and/or lowest DC function level!"), and we no longer had >>>> real >>>> > reasons to stick to that, I tried to promote the forest. >>>> > >>>> > Now that failed too, and I had to demote Samba (so that >>>> Windows doesn't >>>> > think it is just a W2k box), raise forest level on Windows, >>>> and then >>>> > purge Samba's config and re-join it. (Simply running >>>> "samba-tool domain >>>> > dcpromo" doesn't work either--it just gives an error "Account >>>> SAMBA4DC$ >>>> > appears to be an active DC, use 'samba-tool domain join' if >>>> you must >>>> > re-create this account".) >>>> > >>>> > But: now the forest functional level *is* Windows 2003, RSAT >>>> AD User & >>>> > Computers reports the Samba DC as W2k8 R2, and all this still >>>> didn't >>>> > affect the actual RSAT / ldb: acl_read error at all. The issue >>>> is still >>>> > reproducible! >>>> > >>>> > I don't know if running the MS adprep tool on the Windows DC >>>> would help >>>> > (see the Technet article linked above), but that tool is >>>> anyway only >>>> > shipped with Windows 2008, and I don't have that. >>>> > >>>> > Should I file a bug? Or is this error expected? Any experiences >>>> by >>>> > people who regularly run newer RSATs? What about those that >>>> also have >>>> > Windows DCs, like me? >>>> > >>>> > Thanks, >>>> > >>>> > Pekka L.J. Jalkanen >>>> > >>>> > >>>> > PS. The Win 8 RSAT that I've been trying to use is actually >>>> hugely >>>> > problematic, because there is no way to install the Server for >>>> NIS tools >>>> > that are required for RFC2307 management, even though MS does >>>> claim >>>> > (http://support.microsoft.com/kb/2693643) that those tools are >>>> still >>>> > supported. I can't recommend it to anyone. >>>> > -- >>>> > To unsubscribe from this list go to the following URL and read >>>> the >>>> > instructions: https://lists.samba.org/mailman/options/samba >>>> > >>>> > >>>> >>>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > > -- Pekka L.J. Jalkanen, pekka.jalka...@vihreat.fi, +358-44-5510534 Vihreät / De Gröna, http://www.vihreat.fi/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
