The MS documentation says, to raise the forest functional level, you must be member of the "Enterprise Admins" group (http://technet.microsoft.com/en-us/library/cc730985.aspx). And to raise the domain functional level, you must be additionally be member of "Domain Admins" (http://technet.microsoft.com/en-us/library/cc753104.aspx). But samba-tools allows to raise both levels with any domain account: # kdestroy # klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) # samba-tool domain level raise --domain-level=2008_R2 -U demo3 Domain function level changed! All changes applied successfully! # samba-tool domain level raise --forest-level=2008_R2 -U demo3 Forest function level changed! All changes applied successfully! The domain account "demo3" I've used, is only in the group "Domain Users". Also samba-tool did not request any password for the account I've used. The only thing that prevents normal users to raise the levels, is that you have to be root, because the secrets.ldb isn't mode 600. But if you have root permissions on any DC, you can raise the levels with every domain account.
This is not a bug, this is by design. If you have sufficient access to the database files you can use samba-tool to make changes in the database. Like e.g. samba-tool user add ... The -U option is ignored in this case. But is honoured in combination with the -H option. Björn
Hello Björn, (In reply to comment #1) > This is not a bug, this is by design. > If you have sufficient access to the database files you can use samba-tool to > make changes in the database. > Like e.g. samba-tool user add ... I didn't knew that and the --help option doesn't give a hint on that. Maybe a note can be added, like -U USERNAME, --username=USERNAME Parameter is only used in conjunction with -H > The -U option is ignored in this case. But is honoured in combination with the > -H option. If I use -U ... -H, then only members of the Domain Admin groups can raise the two levels. But if samba-tool should act according to the MS documentation in that case, the raise of forest levels should require Enterprise Admin group membership, too.
(In reply to comment #2) > If I use -U ... -H, then only members of the Domain Admin groups can raise the > two levels. Thank you for the verification. > But if samba-tool should act according to the MS documentation in that case, The samba-tool is just a tool like "net" and should not act according to the MS documentation in that case. You can use it locally to manipulate the databases directly or over the "network" via ldap/rpc/... Björn
(In reply to comment #3) > > But if samba-tool should act according to the MS documentation in that case, > > The samba-tool is just a tool like "net" and should not act according to the MS > documentation in that case. You can use it locally to manipulate the databases > directly or over the "network" via ldap/rpc/... Thanks for that information. Maybe you can add that note to the samba-tool manpage. Currently there is just one sentence below "description". This could clarify some things for other users, too.