DC demote

Vaclav Klecanda vencax77 at gmail.com
Tue Jan 4 01:16:44 MST 2011


Hi Michael,
thanks for your prompt reaction.
I have done the bind exactly as you have posted (The code comes from python
ldap examples):

addr = "ldap://10.0.1.4:389/"
realm = 'vena at MYDOMAIN.CZ'
conn = ldap.initialize(addr, trace_level=2)
tokens = ldap.sasl.gssapi(authz_id=realm)
conn.sasl_interactive_bind_s('', tokens)

but the sasl_interactive_bind_s returned the error 'SASL(-4): no
mechanism available...

I am not an LDAP guru but I think the ldap client complaints about lack of
mechanisms on the other site (samba4) LDAP connection.

I DON'T use any other LDAP servers (like openLDAP, etc.). Many discussion
about how to bind to LDAP using gssapi sasl excpects such server. I use port
389 when start samba4 binary. I suppose there runs the proprietary samba4
LDAP based backend server that I don't know nothing about.

2011/1/3 Michael Wood <esiotrot at gmail.com>

> On 4 January 2011 00:11, Vaclav Klecanda <vencax77 at gmail.com> wrote:
> > Nobody?
> > I have tryed the ldb* utils to delete demoted DC records but without
> > success. I was not even able to find out how to delete only attribute
> > instead the whole record.
>
> You could try reading the ldapmodify manpage which, I think, describes
> the same syntax that ldbmodify uses to add/modify/delete attributes.
>
> > Maybe the better question is: how could I directly change the samba
> database
> > files (LDB, TDB)?
>
> Using ldbmodify or ldbedit etc. should do it, as long as you know what
> needs to be modified/deleted.  I do not.
>
> > I then tried to bind to LDAP server again using python
> > GSSAPI (ldap.sasl) but sasl_interactive_bind_s said:
> > Error using SASL mechanism GSSAPI {'info': 'SASL(-4): no mechanism
> > available: No worthy mechs found', 'desc': 'Unknown authentication
> > method'}.
> > I found some discussions about this but no result.
>
> I'm not sure what that's about, but perhaps if you post the code you
> were using someone could help.
>
> This has worked for me in the past:
>
>    ldap_server = "ldap://%s" % (REALM,)
>    conn = ldap.initialize(ldap_server)
>    tokens = ldap.sasl.gssapi()
>    conn.sasl_interactive_bind_s("", tokens)
>
> > 2010/12/30 Vaclav Klecanda <vencax77 at gmail.com>
> >
> >> Hi,
> >> I have sucessfully setup samba4 PDC and have joined a Win2k8 BDC. Now I
> >> removed (demoted) the BDC. I had to use forceremoval param since default
> >> process failed. Now I have appropriate records in Samba4 PDC
> (replication
> >> connection, etc.) and want to remove them. I wanted to remove the things
> >> through a LDAP browser but some of them are in
> dc=Configuration,dc=Schema,..
> >> subtree which probably wants a special rights since it is inaccessible
> >> through anonymous ldap bind. Has anybody been solving that?
>
> Were you able to delete other things using an anonymous bind?  That's
> surprising.
>
> --
> Michael Wood <esiotrot at gmail.com>
>


More information about the samba-technical mailing list