[Samba] Lost DC with FSMO-Rolls

Rowland Penny rowlandpenny at googlemail.com
Wed Nov 5 13:01:20 MST 2014 

On 05/11/14 19:37, Stefan Kania wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> some more informations:
> when I do a : "samba-tool dbcheck --fix --cross-ncs"
>
> I get the following:
>
> root at SVL-V-AD1:~# samba-tool dbcheck --fix --cross-ncs
> Checking 3747 objects
> ERROR: fSMORoleOwner not found for role
> CN=Partitions,CN=Configuration,DC=egf,DC=ntd
> Sieze role CN=Partitions,CN=Configuration,DC=egf,DC=ntd onto current
> DC by adding fSMORoleOwner=CN=NTDS
> Settings,CN=SVL-V-AD1,CN=Servers,CN=Vertrieb,CN=Sites,CN=Configuration,DC=egf,DC=ntd
> [y/N/all/none] y
> Failed to sieze role CN=Partitions,CN=Configuration,DC=egf,DC=ntd onto
> current DC by adding fSMORoleOwner=CN=NTDS
> Settings,CN=SVL-V-AD1,CN=Servers,CN=Vertrieb,CN=Sites,CN=Configuration,DC=egf,DC=ntd
> : (20, 'SINGLE-VALUE attribute fSMORoleOwner on
> CN=Partitions,CN=Configuration,DC=egf,DC=ntd specified more than once')
> Checked 3747 objects (1 errors)
>
> I checked the Object with ldbsearch and got the following:
>
> root at SVL-V-AD1:~# ldbsearch --url=/var/lib/samba/private/sam.ldb  -b
> "CN=Partitions,CN=Configuration,DC=egf,DC=ntd"
>
> # record 6
> dn: CN=Partitions,CN=Configuration,DC=egf,DC=ntd
> objectClass: top
> objectClass: crossRefContainer
> cn: Partitions
> instanceType: 4
> whenCreated: 20141027112453.0Z
> whenChanged: 20141027112456.0Z
> uSNCreated: 3162
> uSNChanged: 3162
> showInAdvancedViewOnly: TRUE
> name: Partitions
> objectGUID: 8e7d5bd0-d15f-4f08-ae26-33931aedb98d
> systemFlags: -2147483648
> objectCategory:
> CN=Cross-Ref-Container,CN=Schema,CN=Configuration,DC=egf,DC=ntd
> msDS-Behavior-Version: 2
> distinguishedName: CN=Partitions,CN=Configuration,DC=egf,DC=ntd
>
> There is no attribut "fSMORoleOwner".
> I checkes it on a working DC in another domain. In this domain the
> attribut is listed in CN=Partitions
>
> Then I tried it the hard way with ldbedit:
>
> root at SVL-V-AD1:~# ldbedit --url=/var/lib/samba/private/sam.ldb  -b
> "CN=Partitions,CN=Configuration,DC=egf,DC=ntd"
> failed to modify CN=Partitions,CN=Configuration,DC=egf,DC=ntd -
> SINGLE-VALUE attribute fSMORoleOwner on
> CN=Partitions,CN=Configuration,DC=egf,DC=ntd specified more than once
>
> As you can see, ldbedit gives the same errormessage. But there is no
> other entry with an attribute "fSMORoleOwner"
>
> I don't know what to do next
>
> Any help?
>
> Stefan
>
>
> Am 05.11.2014 um 17:54 schrieb Stefan Kania:
>> Hello,
>>
>> I lost my DC with all fsmo-roles. I try to "seize" the roles to
>> another DC. It worked four out of five roles:
>>
>> root at SVL-V-AD1:~# samba-tool fsmo seize --role=rid Attempting
>> transfer... Transfer unsuccessful, seizing... FSMO seize of 'rid'
>> role successful
>>
>> root at SVL-V-AD1:~# samba-tool fsmo seize --role=pdc Attempting
>> transfer... Transfer unsuccessful, seizing... FSMO seize of 'pdc'
>> role successful
>>
>> root at SVL-V-AD1:~# samba-tool fsmo seize --role=infrastructure
>> Attempting transfer... Transfer unsuccessful, seizing... FSMO seize
>> of 'infrastructure' role successful
>>
>> root at SVL-V-AD1:~# samba-tool fsmo seize --role=schema Attempting
>> transfer... Transfer unsuccessful, seizing... FSMO seize of
>> 'schema' role successful
>>
>> But it faild foir the role "naming":
>>
>> root at SVL-V-AD1:~# samba-tool fsmo seize --role=naming Attempting
>> transfer... ERROR(ldb): uncaught exception - Failed FSMO transfer:
>> NT_STATUS_CONNECTION_REFUSED File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>> 175, in _run return self.run(*args, **kwargs) File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 160,
>> in run self.seize_role(role, samdb, force) File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 126,
>> in seize_role transfer_role(self.outf, role, samdb) File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 53,
>> in transfer_role samdb.modify(m)
>>
>> After that "samba-tool fsmo show " gives the following error:
>>
>> root at SVL-V-AD1:~# samba-tool fsmo show ERROR(<type
>> 'exceptions.KeyError'>): uncaught exception - 'No such element'
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 175, in _run return self.run(*args, **kwargs) File
>> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 207,
>> in run self.namingMaster = res[0]["fSMORoleOwner"][0]
>>
>> What can I do, to get all roles back to work?
>>
>> Stefan
>>
>>
> - -- 
> Stefan Kania
> Landweg 13
> 25693 St. Michaelisdonn
>
>
> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
> E-Mail. Weiter Informationen unter http://www.gnupg.org
>
> Mein Schlüssel liegt auf
>
> hkp://subkeys.pgp.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iEYEARECAAYFAlRafF8ACgkQ2JOGcNAHDTZR9ACdH9P2rUsRFtGuS/nUU9CeeySa
> kbUAni19XIGWVabZHdSbyxWPxtlahTdT
> =rmp8
> -----END PGP SIGNATURE-----

OK, if I run this on the DC:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs

and search for 'fSMORoleOwner' I get the 7 (yes, there are 7) FSMO roles.

If I don't add '--cross-ncs', I can only see 3.

dn: DC=example,DC=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

dn: CN=RID Manager$,CN=System,DC=example,DC=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

dn: CN=Infrastructure,DC=example,DC=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

dn: CN=Partitions,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

dn: CN=Schema,CN=Configuration,DC=example,DC=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

dn: CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

dn: CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com

Rowland

More information about the samba mailing list