If the AD DB was created based on a pre-2008 base schema, and then the functional level was manually upgraded so that it was 2008 or greater, then the AD DB basically becomes inoperable on Samba v4.9 onwards. The error reported in the Samba server log is: Error 32 determining PSOs in system. The problem is the code is trying to lookup PSO objects, but it is unexpectedly failing because the PSO container doesn't exist (because it wasn't present in the 2003 base schema). Reported on mailing list: https://lists.samba.org/archive/samba/2019-June/223928.html The work-arounds are, either: - Manually create the PSO container, e.g. ldbadd -H /usr/local/samba/private/sam.ldb dn: CN=Password Settings Container,CN=System,DC=addom,DC=samba,DC=example,DC=com objectClass: top objectClass: msDS-PasswordSettingsContainer systemFlags: -1946157056 - Downgrade Samba to v4.8 (which doesn't have PSOs).
Created attachment 15265 [details] Backport for v4.10 and v4.9
Comment on attachment 15265 [details] Backport for v4.10 and v4.9 Looks good!
(In reply to Andrew Bartlett from comment #2) Pushed to autobuild-v4-{10,9}-test.
(In reply to Karolin Seeger from comment #3) Pushed to both branches. Closing out bug report. Thanks!