[Fwd: problems demoting samba4 DC]
Greg Dickie
greg at justaguy.ca
Tue Jun 19 08:54:25 MDT 2012
Hi Andrew,
That's what I thought but looking at the code block, it looks like
there is a bind attempt (excuse evolution's brain dead line wrapping).
try:
remote_samdb = SamDB(url="ldap://%s" % server,
session_info=system_session(),
credentials=creds, lp=lp)
print "Changing userControl and container"
res =
remote_samdb.search(base=str(remote_samdb.get_root_basedn()),
expression="(&(objectClass=user)(sAMAccountName=%s$))" %
netbios_name.upper(),
attrs=["userAccountControl"])
dc_dn = res[0].dn
uac = int(str(res[0]["userAccountControl"]))
except Exception, e:
print "Error while demoting, re-enabling inbound
replication"
dsa_options ^= DS_NTDSDSA_OPT_DISABLE_INBOUND_REPL
nmsg["options"] = ldb.MessageElement(str(dsa_options),
ldb.FLAG_MOD_REPLACE, "options")
samdb.modify(nmsg)
raise CommandError("Error while changing account
control", e)
I have not looked at SamDB to see how failures are handled. Perhaps it
fails silently?
I'll try and take a look,
Thanks,
Greg
On Tue, 2012-06-19 at 14:58 +1000, Andrew Bartlett wrote:
> On Mon, 2012-06-18 at 12:56 -0400, Greg Dickie wrote:
> > OK I've moved beyond the last problem (by completely reinitializing the
> > AD). Now I get another error:
> >
> >
> > [root at hamba4 samba-master]# /usr/local/samba/bin/samba-tool domain
> > demote
> > Using MTL-DC1.example.local as partner server for the demotion
> > Password for [administrator at EXAMPLE.LOCAL]:
> > Desactivating inbound replication
> > Asking partner server MTL-DC1.example.local to synchronize from us
> > Changing userControl and container
> > Error while demoting, re-enabling inbound replication
> > ERROR(ldb): Error while changing account control - LDAP error 1
> > LDAP_OPERATIONS_ERROR - <000004DC: LdapErr: DSID-0C0906E8, comment: In
> > order to perform this operation a successful bind must be completed on
> > the connection., data 0, v1db1> <>
> >
> > I've looked at this in domain.py and the only thing I can see is that
> > there is no bind to the LDAP service in MTL-DC1 before searching for
> > UAC.
> >
> > The question is, should demote work at this point or should I stop
> > looking at it?
>
> You need to authenticate. Please file a bug that we even try and go
> this far without authentication.
>
> Thanks,
>
> Andrew Bartlett
>
--
Greg Dickie
just a guy
514-983-5400
More information about the samba-technical
mailing list