demote error

Daniele Dario d.dario76 at gmail.com
Wed Jun 27 02:22:47 MDT 2012 

On Wed, 2012-06-27 at 09:57 +0200, Andreas Oster wrote:
> Am 27.06.2012 09:49, schrieb Daniele Dario:
> > On Wed, 2012-06-27 at 09:38 +0200, Andreas Oster wrote:
> >> Am 27.06.2012 09:24, schrieb Daniele Dario:
> >>> On Wed, 2012-06-27 at 07:29 +0200, Andreas Oster wrote:
> >>>> Am 12.04.2012 16:29, schrieb Daniele Dario:
> >>>>> Sorry,
> >>>>> the problem was that I didn't submit the -U administrator statement.
> >>>>>
> >>>>> Using it all works.
> >>>>>
> >>>>> Again sorry,
> >>>>> Daniele.
> >>>>>
> >>>>> On Thu, 2012-04-12 at 15:44 +0200, Daniele Dario wrote:
> >>>>>> Hi samba team,
> >>>>>> I've seen in other threads that with Version 4.0.0alpha20-GIT-81d1749
> >>>>>> replication of DNS partitions between DCs now should be automatic so I
> >>>>>> decided to try to demote my secondary DC to try to join it again to the
> >>>>>> domain and see if replication starts also for me.
> >>>>>>
> >>>>>> Trying to run samba-tool domain demote -d 10 it fails with
> >>>>>>
> >>>>>> ...
> >>>>>> ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
> >>>>>>      drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
> >>>>>>         out: struct drsuapi_DsReplicaSync
> >>>>>>             result                   : WERR_OK
> >>>>>> rpc reply data:
> >>>>>> [0000] 00 00 00 00                                       .... 
> >>>>>> lpcfg_servicenumber: couldn't find ldb
> >>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
> >>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> >>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
> >>>>>> netmask=255.255.255.0
> >>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
> >>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> >>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
> >>>>>> netmask=255.255.255.0
> >>>>>> Changing userControl and container
> >>>>>> Error while demoting, re-enabling inbound replication
> >>>>>> ldb:acl_modify: options
> >>>>>> Sorting rpmd with attid exception 3 rDN=CN DN=CN=NTDS
> >>>>>> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> >>>>>> ERROR(ldb): Error while changing account control - LDAP error 1
> >>>>>> LDAP_OPERATIONS_ERROR -  <00002020: Operation unavailable without
> >>>>>> authentication> <>
> >>>>>>   File
> >>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> >>>>>> line 288, in run
> >>>>>>     attrs=["userAccountControl"])
> >>>>>>
> >>>>>> how can I proceed to solve the problem?
> >>>>>>
> >>>>>> Thanks in advance,
> >>>>>> Daniele
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>> Hello Daniele,
> >>>>
> >>>> can you tell me if samba needs to be stopped before demoting ?
> >>>>
> >>>> Thanks
> >>>>
> >>>> Andreas
> >>>>
> >>>>
> >>>
> >>> Hello Andreas,
> >>> I did not stop it when I demoted the DC.
> >>>
> >>> I think that stop samba on the DC to demote would prevent replicas/syncs
> >>> to other DCs so the command would fail.
> >>>
> >>> Daniele.
> >>>
> >>>
> >> Hello Daniele,
> >>
> >> thank you for the fast reply. You are right, samba needs to be running
> >> for demoting.
> >>
> >> I have managed to demote the second DC but am now stuck as I am unable
> >> to re-join it to the domain. I aways get errors when trying to do so :-(
> >> I already tried to add a a new posting but the attachment (log file)
> >> is to big and needs to be reviewed by the moderator.
> >>
> >> best regards
> >>
> >> Andreas
> >>
> >>
> >>
> > 
> > Hi Andreas,
> > I've seen that after demote of "secondary" DCs, the DNS record related
> > to the DC is still present in the _msdcs zone (it happened to me, don't
> > know if it was due to me or to the fact I started with very old releases
> > and had to manually add the record).
> > 
> > Once I manually removed it using samba-tool dns delete, I was again able
> > to re-join the DC and I've seen that with latest git version of samba4
> > replication started automatically also for DNS zones.
> > 
> > Best regards,
> > Daniele.
> > 
> > 
> Hello Daniele,
> 
> how can I check if these entries are still present in the primary DCs
> database, and if so, can you explain in more detail how to remove those
> entries ?
> 
> Thank you very much for your kind help
> 
> best regards
> 
> Andreas
Hi Anreas,
to see records in DNS zones you can use samba-tool dns query.
My network has 2 DCs (kdc01 is PDC and kdc02 is BDC) and the realm is
saitelitalia.local where I have 2 forward zones and a reverse one:
- (fw) saitelitalia.local
- (fw) _msdcs.saitelitalia.local
- (rw) 12.168.192.in-addr.arpa

You can query the samba4 DNS using:

[root at kdc01:~]# samba-tool dns query kdc01 _msdcs.saitelitalia.local @
ALL -U administrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:kdc01[,sign]
Password for [SAITELITALIA\administrator]:
  Name=, Records=3, Children=0
    NS: kdc01.saitelitalia.local. (flags=600000f0, serial=1, ttl=900)
    SOA: serial=178, refresh=900, retry=600, expire=86400,
ns=kdc01.saitelitalia.local., email=hostmaster.saitelitalia.local.
(flags=600000f0, serial=178, ttl=3600)
    NS: kdc02.saitelitalia.local. (flags=600000f0, serial=148, ttl=900)
  Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=1, Children=0
    CNAME: kdc01.saitelitalia.local. (flags=f0, serial=164, ttl=900)
  Name=ce746283-fab6-4a9c-a024-42c31ccf21b2, Records=1, Children=0
    CNAME: kdc02.saitelitalia.local. (flags=f0, serial=177, ttl=0)
  Name=dc, Records=0, Children=2
  Name=domains, Records=0, Children=1
  Name=gc, Records=0, Children=2
  Name=kdc01, Records=1, Children=0
    NS: 192.168.12.5. (flags=f0, serial=62, ttl=900)
  Name=kdc02, Records=1, Children=0
    NS: 192.168.12.2. (flags=f0, serial=149, ttl=900)
  Name=pdc, Records=0, Children=1

The above command shows all DNS recors which are present on the related
zone.

You can see that there are 2 CNAME records one for kdc01 and one for
kdc02 (now I have re-joined kdc02):
- Name=bdbaecef-ace9-4314-b65e-54933ac8b660 ... CNAME: kdc01. ...
- Name=ce746283-fab6-4a9c-a024-42c31ccf21b2 ... CNAME: kdc02. ...

I found that after I demoted kdc02, it's record was still in the zone so
I used samba-tool dns delete command to remove it:
[root at kdc01:~]# samba-tool dns delete kdc01 _msdcs.saitelitalia.local
ce746283-fab6-4a9c-a024-42c31ccf21b2 CNAME kdc02.saitelitalia.local. -U
administrator

Obviously the names would change every time you (re)join a DC.

Hope this helps,
Daniele.

More information about the samba-technical mailing list