Bug 14008 - v4.9: 'Error 32 determining PSOs in system' on old DB with FL upgrade
Summary: v4.9: 'Error 32 determining PSOs in system' on old DB with FL upgrade
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.9.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2019-06-24 22:50 UTC by Tim Beale
Modified: 2019-08-06 07:50 UTC (History)
1 user (show)

See Also:

Backport for v4.10 and v4.9 (2.62 KB, patch)
2019-06-26 23:48 UTC, Tim Beale
abartlet: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Beale 2019-06-24 22:50:22 UTC
If the AD DB was created based on a pre-2008 base schema, and then the functional level was manually upgraded so that it was 2008 or greater, then the AD DB basically becomes inoperable on Samba v4.9 onwards.

The error reported in the Samba server log is:
Error 32 determining PSOs in system.

The problem is the code is trying to lookup PSO objects, but it is unexpectedly failing because the PSO container doesn't exist (because it wasn't present in the 2003 base schema).

Reported on mailing list:

The work-arounds are, either:
- Manually create the PSO container, e.g.
ldbadd -H /usr/local/samba/private/sam.ldb
dn: CN=Password Settings Container,CN=System,DC=addom,DC=samba,DC=example,DC=com
objectClass: top
objectClass: msDS-PasswordSettingsContainer
systemFlags: -1946157056
- Downgrade Samba to v4.8 (which doesn't have PSOs).
Comment 1 Tim Beale 2019-06-26 23:48:04 UTC
Created attachment 15265 [details]
Backport for v4.10 and v4.9
Comment 2 Andrew Bartlett 2019-06-27 02:02:41 UTC
Comment on attachment 15265 [details]
Backport for v4.10 and v4.9

Looks good!
Comment 3 Karolin Seeger 2019-07-08 11:39:32 UTC
(In reply to Andrew Bartlett from comment #2)
Pushed to autobuild-v4-{10,9}-test.
Comment 4 Karolin Seeger 2019-08-06 07:50:29 UTC
(In reply to Karolin Seeger from comment #3)
Pushed to both branches.
Closing out bug report.