While trying to get radius working with my Samba domain controller, I was looking for a way to get attributes like radiusTunnelPrivateGroupId into it. In the end the solution was something completely different, but anyhow:
Here’s what I did to raise the domain level (and as it turns out the function and forest level) of my Samba domain controller.
Where we start
linux # samba-tool domain level show
Domain and forest function level for domain 'DC=mydomain,DC=de'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2Upgrading domain level
Adding a ‘-h’ option I at least got the function levels I could upgrade to:
linux # samba-tool domain level show -h
<...>
--domain-level=DOMAIN_LEVEL
The domain function level (2003 | 2008 | 2008_R2 | 2012 | 2012_R2 | 2016)
<...>So let’s give it a try (of course with the latest supported domain level 2016):
linux # samba-tool domain level raise --domain-level=2016
ERROR: Domain function level can't be higher than the lowest function level of a DC!Ok, that seems odd: There’s options to upgrade domain and forest level, but there’s no mentioning of function level. But according to this page, we need to trigger that change by modifying the domain controllers smb.conf and restarting this service.
But first I’d like to know what the current level is. And as the default values cannot be found in the smb.conf itself, we’ll call the good old testparm for help:
linux # testparm -s --section-name=global --parameter-name="ad dc functional level"
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
<...>
2008_R2Ok, so that matches the above output – now let’s set the option in smb.conf and restart the service:
linux # vi /etc/samba/smb.conf
[global]
<...>
ad dc functional level = 2016
<...>
linux # systemctl restart samba-ad-dc
linux # samba-tool domain level show
Domain and forest function level for domain 'DC=mydomain,DC=de'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2016Ok, function level is now 2016, so let’s retry the domain level raise:
linux # samba-tool domain level raise --domain-level=2016
Domain function level changed!
All changes applied successfully!
linux # samba-tool domain level show
Domain and forest function level for domain 'DC=mydomain,DC=de'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2016
Lowest function level of a DC: (Windows) 2016And as we’re at it I’ll raise the forest level also (even if I don’t really have something like a forest):
linux # samba-tool domain level raise --forest-level=2016
Forest function level changed!
All changes applied successfully!
linux # samba-tool domain level show
Domain and forest function level for domain 'DC=mydomain,DC=de'
Forest function level: (Windows) 2016
Domain function level: (Windows) 2016
Lowest function level of a DC: (Windows) 2016Upgrading LDAP schema
And now we also need to upgrade the LDAP schema (that for some odd reason has nothing/little to do with the domain / forest level):
linux # samba-tool domain schemaupgrade –schema=2019
Temporarily overriding 'dsdb:schema update allowed' setting
Applying Sch70.ldf updates...
Unable to find attribute msDS-DeviceMDMStatus in the schema
5 changes applied
Applying Sch71.ldf updates...
7 changes applied
<...>
Applying Sch87.ldf updates...
9 changes applied
Applying Sch88.ldf updates...
7 changes applied
Schema successfully updatedAnd that is how far I made it:
I’m still trying to use some of the (newly added LDAP objects/attributes) to specify radius information, but for now none of them get accepted.
Something seems still missing …
I also verified the availability of the new attributes using ldapsearch. The schema seems to be current, however the attributes I was hoping for are not shown (but I guess that’s caused by ‘hideFromAB: TRUE‘ in their definition):
linux # ldapsearch -x -ZZ -H ldap://dc1.mydomain.de -s sub -a always -z 1000 -b "CN=Schema,CN=Configuration,DC=mydomain,dc=de" -D CN=Administrator,CN=Users,DC=mydomain,DC=de -W "(objectClass=*)For more information about specific schema searches in Active Directory (or the samba version of it) have a look here.
Background information
According to this information, these LDAP schema updates were introduced with the following Windows versions (which matches the above upgrade to the latest schema supported by the current Samba 4.22.1: 2019):
| Windows Server Version | |
|---|---|
| Windows Server 2025 | Sch89.ldf – Sch91.ldf |
| Windows Server 2019 | Sch88.ldf |
| Windows Server 2016 | Sch70.ldf – Sch87.ldf |
| Windows Server 2012 R2 | Sch57.ldf – Sch69.ldf |
| Windows Server 2012 | Sch48.ldf – Sch56.ldf |
Links
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/schema-updates