[Fwd: problems demoting samba4 DC]

Greg Dickie greg at justaguy.ca
Tue Jun 19 08:54:25 MDT 2012 


Hi Andrew,

  That's what I thought but looking at the code block, it looks like
there is a bind attempt (excuse evolution's brain dead line wrapping).

        try:
            remote_samdb = SamDB(url="ldap://%s" % server,
                                session_info=system_session(),
                                credentials=creds, lp=lp)

            print "Changing userControl and container"
            res =
remote_samdb.search(base=str(remote_samdb.get_root_basedn()),

expression="(&(objectClass=user)(sAMAccountName=%s$))" %
                                            netbios_name.upper(),
                                attrs=["userAccountControl"])
            dc_dn = res[0].dn
            uac = int(str(res[0]["userAccountControl"]))

        except Exception, e:
                print "Error while demoting, re-enabling inbound
replication"
                dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
                nmsg["options"] = ldb.MessageElement(str(dsa_options),
ldb.FLAG_MOD_REPLACE, "options")
                samdb.modify(nmsg)
                raise CommandError("Error while changing account
control", e)

I have not looked at SamDB to see how failures are handled. Perhaps it
fails silently?

I'll try and take a look,
Thanks,
Greg


On Tue, 2012-06-19 at 14:58 +1000, Andrew Bartlett wrote:
> On Mon, 2012-06-18 at 12:56 -0400, Greg Dickie wrote:
> > OK I've moved beyond the last problem (by completely reinitializing the
> > AD). Now I get another error:
> > 
> >  
> > [root at hamba4 samba-master]# /usr/local/samba/bin/samba-tool domain
> > demote 
> > Using MTL-DC1.example.local as partner server for the demotion
> > Password for [administrator at EXAMPLE.LOCAL]:
> > Desactivating inbound replication
> > Asking partner server MTL-DC1.example.local to synchronize from us
> > Changing userControl and container
> > Error while demoting, re-enabling inbound replication
> > ERROR(ldb): Error while changing account control - LDAP error 1
> > LDAP_OPERATIONS_ERROR -  <000004DC: LdapErr: DSID-0C0906E8, comment: In
> > order to perform this operation a successful bind must be completed on
> > the connection., data 0, v1db1> <>
> > 
> > I've looked at this in domain.py and the only thing I can see is that
> > there is no bind to the LDAP service in MTL-DC1 before searching for
> > UAC.
> > 
> > The question is, should demote work at this point or should I stop
> > looking at it?
> 
> You need to authenticate.  Please file a bug that we even try and go
> this far without authentication. 
> 
> Thanks,
> 
> Andrew Bartlett
> 

-- 
Greg Dickie
just a guy
514-983-5400

More information about the samba-technical mailing list