By the way, is a kerberos keytab actually necessary to decrypt the
GSS-API packets in Wireshark? Samba Wiki
(https://wiki.samba.org/index.php/Capture_Packets) doesn't say so (just
tells to capture the kerberos exchange), but I became somewhat
suspicious, while reading the following page:
http://wiki.wireshark.org/Kerberos

Just trying to figure out how to inspect my own capture here...

Pekka L.J. Jalkanen


On 24.4.2013 17:18, Pekka L.J. Jalkanen wrote:
> On 23.4.2013 19:24, Michael Wood wrote:
>> On 23 April 2013 16:43, Pekka L.J. Jalkanen <pekka.jalka...@vihreat.fi> 
>> wrote:
>>> Nothing. It just works. I can even explicitly change it to point to the
>>> Samba 4 DC and it still works.
>>>
>>> It is just Vista and newer RSATs that are the problem. And they also
>>> work just fine as long as the selected DC is the W2k3R2 DC...
>>
>> Perhaps you could get a packet capture of the newer RSAT against the
>> Windows DC and another one against the Samba DC and attach them to a
>> bug report.
> 
> I've now filed a ticket:
> https://bugzilla.samba.org/show_bug.cgi?id=9828. Hopefully this helps!
> 
> There is only one continuous capture, as the RSAT ADUC snap-in always
> seems to connect to the Windows DC first anyway (I assume that this is
> due to the operations master roles, because all the krb5 tickets are
> actually issued by the Samba DC), so if I'd try to purge krb5 tickets
> in-between the tests and re-connect before switching DCs to take another
> capture, it'd connect to the Windows DC anyway. But there are only three
> different IPs in the capture anyway (My RSAT box and the two DCs), and
> I've only captured ports 88 and 389, so it shouldn't be too hard to
> follow what's happening.
> 
> While I do think that this is a bug I also think that I'm going to test
> the adprep tool anyway, as it shouldn't really damage anything... MS
> says that if I were to install Windows 2008 R2 DCs, I should run it
> anyway, so it really shouldn't hurt.
> 
> 
> Pekka L.J. Jalkanen
> 
> 
>>> On 23.4.2013 16:39, Hisham Attar wrote:
>>>> What does it say when you browse domain controllers OU for that DC using
>>>> the Ad users and computers snapin on the win2k3 dc?
>>>>
>>>>
>>>> On Tue, Apr 23, 2013 at 11:25 PM, Pekka L.J. Jalkanen
>>>> <pekka.jalka...@vihreat.fi <mailto:pekka.jalka...@vihreat.fi>> wrote:
>>>>
>>>>     Raising the functional level above 2003 doesn't sound like a good plan
>>>>     as long as we still have to keep the Windows 2003 DC around. I don't
>>>>     know about Samba, but RSAT wouldn't even let me do that.
>>>>
>>>>     Also note that it is the Windows DC (CN=W2K3R2DC) that doesn't have 
>>>> this
>>>>     attribute.
>>>>
>>>>     I figured out that I should be able to download MS's adprep tools by
>>>>     subscribing to Windows 2008 R2 trial. If nobody has better ideas I'll
>>>>     just do that, and then try to run the various adprep commands. If Samba
>>>>     truly functions like the 2008 R2, then these tools actually should've
>>>>     been run anyway before adding Samba DCs to 2003 domains (see that
>>>>     Technet article again).
>>>>
>>>>     I really hope that the version of Windows Samba mimics would be better
>>>>     documented, though... obviously none of this is a problem in a pure
>>>>     Samba 4 environment, but many organisations migrating from Windows to
>>>>     Samba are definitely not going to do so overnight, so the different DCs
>>>>     must co-exist for quite some time. Also, people are most likely going 
>>>> to
>>>>     run various different RSAT versions, so the compatibility of those is 
>>>> an
>>>>     important factor, too.
>>>>
>>>>
>>>>     Pekka L.J. Jalkanen
>>>>
>>>>
>>>>     On 23.4.2013 0:29, Hisham Attar wrote:
>>>>     > That attribute is a 2008+ schema attribute, as far as I was aware 
>>>> when
>>>>     > you provision with Samba your DC functionality is at 2008 R2 but
>>>>     > forest/domain is at 2003 and can be raised to 2008 R2 try samba-tool
>>>>     > domain level raise --domain 2008_R2 --forest 2008_R2 maybe that
>>>>     will add
>>>>     > the attribute to the schema.
>>>>     >
>>>>     >
>>>>     > On Tue, Apr 23, 2013 at 4:43 AM, Pekka L.J. Jalkanen
>>>>     > <pekka.jalka...@vihreat.fi <mailto:pekka.jalka...@vihreat.fi>
>>>>     <mailto:pekka.jalka...@vihreat.fi
>>>>     <mailto:pekka.jalka...@vihreat.fi>>> wrote:
>>>>     >
>>>>     >     Hello,
>>>>     >
>>>>     >     We have two DCs. One runs Windows 2003 R2, and the other Samba
>>>>     4.0.5.
>>>>     >     Forest functional level is Windows 2000 native.
>>>>     >
>>>>     >     I recently demoted (worked flawlessy now, which was a great
>>>>     relief),
>>>>     >     rebuilt and re-promoted my Samba 4 DC, as my problems that I
>>>>     posted to
>>>>     >     this list about two monts were still unresolved (see
>>>>     >
>>>>     https://lists.samba.org/archive/samba/2013-February/171898.html), and I
>>>>     >     thoght that I might as well give it a shot.
>>>>     >
>>>>     >     And yes, it all seems to work now. (I even got the rfc2307 
>>>> uid/gid
>>>>     >     support working, finally! Doesn't matter a lot on a DC-only
>>>>     box, but
>>>>     >     still.)
>>>>     >
>>>>     >     Everything, this far, except one thing: if
>>>>     >     1. RSAT, specifically one shipped with Windows Vista or newer
>>>>     (older
>>>>     >     tools do not seem to be affected) is used to manage the domain,
>>>>     >     2. Samba 4 DC is the domain controller that RSAT's AD User and
>>>>     Computers
>>>>     >     console connects to, and
>>>>     >     3. one clicks the "Domain Controllers" OU in the tree
>>>>     >
>>>>     >     then the following error message will result:
>>>>     >
>>>>     >     "Data from Domain Controllers is not available from Domain
>>>>     Controller
>>>>     >     SAMBA4DC.mydomain.site because: An operations error occurred.
>>>>     Try again
>>>>     >     later, or choose another DC by selecting Connect to Domain
>>>>     Controller on
>>>>     >     the Domain context menu."
>>>>     >
>>>>     >     At the same time the following is written to log.samba:
>>>>     >
>>>>     >     "[2013/04/17 18:03:24,  0]
>>>>     >     ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug)
>>>>     >       ldb: acl_read: CN=W2K3R2DC,OU=Domain
>>>>     Controllers,DC=mydomain,DC=site
>>>>     >     cannot find attr[msDS-isRODC] in of schema
>>>>     >
>>>>     >     If the RSAT's AD Users & Computers console is deliberately
>>>>     changed to
>>>>     >     use our Windows DC, the problem disappears. The console reports 
>>>> DC
>>>>     >     version for the domain controllers as W2K3 for the Windows DC
>>>>     and as W2K
>>>>     >     for the Samba DC.
>>>>     >
>>>>     >     Is this error expected? I find the error message in log.samba
>>>>     a bit
>>>>     >     peculiar, because it talks about msDS-isRODC attribute. But
>>>>     the way I
>>>>     >     see it there shouldn't even be anything RODC-related in the
>>>>     schema, as a
>>>>     >     prerequisite for any RODCs is Windows 2003 forest functional
>>>>     level, and
>>>>     >     even then the schema should be extended first (see
>>>>     >
>>>>     http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx
>>>>     >     for Microsoft's documentation).
>>>>     >
>>>>     >     Because Samba doesn't really seem to support Windows 2000
>>>>     functional
>>>>     >     level properly anymore (samba-tool domain level just showed the
>>>>     >     following error: "ERROR: Could not retrieve the actual domain,
>>>>     forest
>>>>     >     level and/or lowest DC function level!"), and we no longer had
>>>>     real
>>>>     >     reasons to stick to that, I tried to promote the forest.
>>>>     >
>>>>     >     Now that failed too, and I had to demote Samba (so that
>>>>     Windows doesn't
>>>>     >     think it is just a W2k box), raise forest level on Windows,
>>>>     and then
>>>>     >     purge Samba's config and re-join it. (Simply running
>>>>     "samba-tool domain
>>>>     >     dcpromo" doesn't work either--it just gives an error "Account
>>>>     SAMBA4DC$
>>>>     >     appears to be an active DC, use 'samba-tool domain join' if
>>>>     you must
>>>>     >     re-create this account".)
>>>>     >
>>>>     >     But: now the forest functional level *is* Windows 2003, RSAT
>>>>     AD User &
>>>>     >     Computers reports the Samba DC as W2k8 R2, and all this still
>>>>     didn't
>>>>     >     affect the actual RSAT / ldb: acl_read error at all. The issue
>>>>     is still
>>>>     >     reproducible!
>>>>     >
>>>>     >     I don't know if running the MS adprep tool on the Windows DC
>>>>     would help
>>>>     >     (see the Technet article linked above), but that tool is
>>>>     anyway only
>>>>     >     shipped with Windows 2008, and I don't have that.
>>>>     >
>>>>     >     Should I file a bug? Or is this error expected? Any experiences 
>>>> by
>>>>     >     people who regularly run newer RSATs? What about those that
>>>>     also have
>>>>     >     Windows DCs, like me?
>>>>     >
>>>>     >     Thanks,
>>>>     >
>>>>     >     Pekka L.J. Jalkanen
>>>>     >
>>>>     >
>>>>     >     PS. The Win 8 RSAT that I've been trying to use is actually 
>>>> hugely
>>>>     >     problematic, because there is no way to install the Server for
>>>>     NIS tools
>>>>     >     that are required for RFC2307 management, even though MS does
>>>>     claim
>>>>     >     (http://support.microsoft.com/kb/2693643) that those tools are
>>>>     still
>>>>     >     supported. I can't recommend it to anyone.
>>>>     >     --
>>>>     >     To unsubscribe from this list go to the following URL and read 
>>>> the
>>>>     >     instructions:  https://lists.samba.org/mailman/options/samba
>>>>     >
>>>>     >
>>>>
>>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>>
> 
> 


-- 
Pekka L.J. Jalkanen, pekka.jalka...@vihreat.fi, +358-44-5510534
Vihreät / De Gröna, http://www.vihreat.fi/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to