[Samba] [samba] Samba 4.1.6 vs Win2008R2 FSMO roles

Laszlo Levente wandererc at gmail.com
Thu Aug 14 06:32:07 MDT 2014 

Hi,

we're using Zentyal 3.4/Samba 4.1.6 on two machine for our AD domain.

We have to test the domain in "pure" microsoft environment, because a third
party storage system.
So I added DC and DNS role to one of our windows 2008R2, and joined it to
our domain. Everything's fine at this point.

Then I wanted transfer the 5 FSMO role to windows. Every role transferred
successfully, except schema master... ntdsutil said:  Insufficient access
rights (my account was in Domain Admins, Schema admins, Enterprise admins)

OK, so I tried to seize the schema master role, after I shut down the two
Zentyal DCs.
Same result (insufficient rights) :(.
Then we had to restore win2008R2 from disk image, and turn on Zentyals
again.

Then I realized that 4 transferred roles had not gone back to Samba. I
transferred 3 of them back, but I can't the naming role.

# samba-tool fsmo seize --role=naming
ldb_wrap open of secrets.ldb
Attempting transfer...
ERROR(ldb): uncaught exception - Failed FSMO transfer: WERR_PORT_UNREACHABLE
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 160,
in run
    self.seize_role(role, samdb, force)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 126,
in seize_role
    transfer_role(self.outf, role, samdb)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 53, in
transfer_role
    samdb.modify(m)
# samba-tool fsmo show
ldb_wrap open of secrets.ldb
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=zentyal,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=zentyal,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=zentyal,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=win2008R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
SchemaMasterRole owner: CN=NTDS
Settings,CN=zentyal,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan


I was searching in bugzilla and lists archive, but couldn't find any
relevant info.

Ran someone into same problem?


Thanks for your help,
Levente Laszlo

More information about the samba mailing list