redundant DNS setup with bind_dlz possible ?

Andreas Oster aoster at novanetwork.de
Fri Apr 13 09:33:17 MDT 2012 

Am 13.04.2012 14:22, schrieb Daniele Dario:
> Hi Andreas,
>
> On Fri, 2012-04-13 at 14:07 +0200, Daniele Dario wrote:
>> Hi Andreas,
>>
>> On Fri, 2012-04-13 at 12:34 +0200, Andreas Oster wrote:
>>> Am 13.04.2012 08:58, schrieb Daniele Dario:
>>>> Hi Andreas and Amitay,
>>>>
>>>> On Fri, 2012-04-13 at 08:09 +0200, Andreas Oster wrote:
>>>>> Am 13.04.2012 03:08, schrieb Amitay Isaacs:
>>>>>> On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster <aoster at novanetwork.de> wrote:
>> ...
>>> Hello Daniele,
>>>
>>> as you might have seen in my last post I have run into the same demoting
>>> issue. Did you manage to demote your server in the meanwhile ?
>>>
>>> best regards
>>>
>>> Andreas
>>>
>> I made a little change in
>> samba/lib//python2.7/site-packages/samba/netcmd/domain.py to show how
>> many rules are locking the demote operation (and which ones). My python
>> knowledge is not so deep but changes are on line 250 like:
>>         if len(res) != 0:
>> -            raise CommandError("Current DC is still the owner of %d
>> role(s), use the role command to transfer roles to another DC"
>> +           for foundRole in res:
>>                 print foundRole.dn
>>             raise CommandError("Current DC is still the owner of %d
>> role(s), use the role command to transfer roles to another DC" %
>> len(res))
>>
>> And it seems that secondary DC is owner of the DNS zones replication
>>
>> [root at kdc02:~/samba4/samba-master]# samba-tool domain demote -U
>> administrator
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=local
>> CN=Infrastructure,DC=ForestDnsZones,DC=saitelitalia,DC=local
>> ERROR: Current DC is still the owner of 2 role(s), use the role command
>> to transfer roles to another DC
>>
>> If instead of print foundRole.dn you use just foundRole it shows a very
>> long message where you can find more things like
>>
>> 'fSMORoleOwner': MessageElement(['CN=NTDS
>> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local'])
>>
>> At this point I think there is something wrong because samba-tool fsmo
>> show doesn't show at all these two roles.
>>
>> Maybe we can just try to delete them using ldbdel ...?
>>
>> Daniele.
>>
> jast a step forward:
> in my case, ldbsearch tells me something strange.
>
> [root at kdc01:~]# ldbsearch -H /usr/local/samba/private/sam.ldb -b
> "DC=DomainDnsZones,DC=saitelitalia,DC=local" "(name=Infrastructure)"
> ...
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=local
> objectClass: top
> objectClass: infrastructureUpdate
> cn: Infrastructure
> instanceType: 4
> whenCreated: 20111222201013.0Z
> uSNCreated: 3624
> showInAdvancedViewOnly: TRUE
> name: Infrastructure
> objectGUID: a81bd71a-fa5e-4eec-87a5-c05bba4e332f
> systemFlags: -1946157056
> objectCategory:
> CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saiteli
>  talia,DC=local
> isCriticalSystemObject: TRUE
> fSMORoleOwner: CN=NTDS
> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name
>  ,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> whenChanged: 20111222201017.0Z
> uSNChanged: 3633
> distinguishedName:
> CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=loca
>  l
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> [root at kdc02:~/samba4/samba-master]# ldbsearch
> -H /usr/local/samba/private/sam.ldb -b
> "DC=DomainDnsZones,DC=saitelitalia,DC=local" "(name=Infrastructure)"
> ...
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=local
> objectClass: top
> objectClass: infrastructureUpdate
> cn: Infrastructure
> instanceType: 4
> whenCreated: 20120412142746.0Z
> uSNCreated: 3700
> showInAdvancedViewOnly: TRUE
> name: Infrastructure
> objectGUID: ee2a9817-32b3-410c-ac27-f97e71274a85
> systemFlags: -1946157056
> objectCategory:
> CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saiteli
>  talia,DC=local
> isCriticalSystemObject: TRUE
> fSMORoleOwner: CN=NTDS
> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name
>  ,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> whenChanged: 20120412142749.0Z
> uSNChanged: 3709
> distinguishedName:
> CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=loca
>  l
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> As you can see both the DCs are saying that they are owners of the role.
>
> I'll try to delete entries and see what happens :-P
>
> Daniele
>
Hello Daniele,

do you have an idea what might have caused this ? Can this have been
caused by
the failed samba_upgradedns run ?

I hope you are successful with deleting the role .

best regards

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120413/11a2eb3c/attachment.pgp>

More information about the samba-technical mailing list