demote error

Andreas Oster aoster at novanetwork.de
Wed Jun 27 02:37:36 MDT 2012


Am 27.06.2012 10:22, schrieb Daniele Dario:
> On Wed, 2012-06-27 at 09:57 +0200, Andreas Oster wrote:
>> Am 27.06.2012 09:49, schrieb Daniele Dario:
>>> On Wed, 2012-06-27 at 09:38 +0200, Andreas Oster wrote:
>>>> Am 27.06.2012 09:24, schrieb Daniele Dario:
>>>>> On Wed, 2012-06-27 at 07:29 +0200, Andreas Oster wrote:
>>>>>> Am 12.04.2012 16:29, schrieb Daniele Dario:
>>>>>>> Sorry,
>>>>>>> the problem was that I didn't submit the -U administrator statement.
>>>>>>>
>>>>>>> Using it all works.
>>>>>>>
>>>>>>> Again sorry,
>>>>>>> Daniele.
>>>>>>>
>>>>>>> On Thu, 2012-04-12 at 15:44 +0200, Daniele Dario wrote:
>>>>>>>> Hi samba team,
>>>>>>>> I've seen in other threads that with Version 4.0.0alpha20-GIT-81d1749
>>>>>>>> replication of DNS partitions between DCs now should be automatic so I
>>>>>>>> decided to try to demote my secondary DC to try to join it again to the
>>>>>>>> domain and see if replication starts also for me.
>>>>>>>>
>>>>>>>> Trying to run samba-tool domain demote -d 10 it fails with
>>>>>>>>
>>>>>>>> ...
>>>>>>>> ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
>>>>>>>>      drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
>>>>>>>>         out: struct drsuapi_DsReplicaSync
>>>>>>>>             result                   : WERR_OK
>>>>>>>> rpc reply data:
>>>>>>>> [0000] 00 00 00 00                                       .... 
>>>>>>>> lpcfg_servicenumber: couldn't find ldb
>>>>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
>>>>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>>>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
>>>>>>>> netmask=255.255.255.0
>>>>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
>>>>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>>>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
>>>>>>>> netmask=255.255.255.0
>>>>>>>> Changing userControl and container
>>>>>>>> Error while demoting, re-enabling inbound replication
>>>>>>>> ldb:acl_modify: options
>>>>>>>> Sorting rpmd with attid exception 3 rDN=CN DN=CN=NTDS
>>>>>>>> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>>>>>> ERROR(ldb): Error while changing account control - LDAP error 1
>>>>>>>> LDAP_OPERATIONS_ERROR -  <00002020: Operation unavailable without
>>>>>>>> authentication> <>
>>>>>>>>   File
>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>>>>>>>> line 288, in run
>>>>>>>>     attrs=["userAccountControl"])
>>>>>>>>
>>>>>>>> how can I proceed to solve the problem?
>>>>>>>>
>>>>>>>> Thanks in advance,
>>>>>>>> Daniele
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Hello Daniele,
>>>>>>
>>>>>> can you tell me if samba needs to be stopped before demoting ?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Andreas
>>>>>>
>>>>>>
>>>>>
>>>>> Hello Andreas,
>>>>> I did not stop it when I demoted the DC.
>>>>>
>>>>> I think that stop samba on the DC to demote would prevent replicas/syncs
>>>>> to other DCs so the command would fail.
>>>>>
>>>>> Daniele.
>>>>>
>>>>>
>>>> Hello Daniele,
>>>>
>>>> thank you for the fast reply. You are right, samba needs to be running
>>>> for demoting.
>>>>
>>>> I have managed to demote the second DC but am now stuck as I am unable
>>>> to re-join it to the domain. I aways get errors when trying to do so :-(
>>>> I already tried to add a a new posting but the attachment (log file)
>>>> is to big and needs to be reviewed by the moderator.
>>>>
>>>> best regards
>>>>
>>>> Andreas
>>>>
>>>>
>>>>
>>>
>>> Hi Andreas,
>>> I've seen that after demote of "secondary" DCs, the DNS record related
>>> to the DC is still present in the _msdcs zone (it happened to me, don't
>>> know if it was due to me or to the fact I started with very old releases
>>> and had to manually add the record).
>>>
>>> Once I manually removed it using samba-tool dns delete, I was again able
>>> to re-join the DC and I've seen that with latest git version of samba4
>>> replication started automatically also for DNS zones.
>>>
>>> Best regards,
>>> Daniele.
>>>
>>>
>> Hello Daniele,
>>
>> how can I check if these entries are still present in the primary DCs
>> database, and if so, can you explain in more detail how to remove those
>> entries ?
>>
>> Thank you very much for your kind help
>>
>> best regards
>>
>> Andreas
> Hi Anreas,
> to see records in DNS zones you can use samba-tool dns query.
> My network has 2 DCs (kdc01 is PDC and kdc02 is BDC) and the realm is
> saitelitalia.local where I have 2 forward zones and a reverse one:
> - (fw) saitelitalia.local
> - (fw) _msdcs.saitelitalia.local
> - (rw) 12.168.192.in-addr.arpa
> 
> You can query the samba4 DNS using:
> 
> [root at kdc01:~]# samba-tool dns query kdc01 _msdcs.saitelitalia.local @
> ALL -U administrator
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncacn_ip_tcp:kdc01[,sign]
> Password for [SAITELITALIA\administrator]:
>   Name=, Records=3, Children=0
>     NS: kdc01.saitelitalia.local. (flags=600000f0, serial=1, ttl=900)
>     SOA: serial=178, refresh=900, retry=600, expire=86400,
> ns=kdc01.saitelitalia.local., email=hostmaster.saitelitalia.local.
> (flags=600000f0, serial=178, ttl=3600)
>     NS: kdc02.saitelitalia.local. (flags=600000f0, serial=148, ttl=900)
>   Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=1, Children=0
>     CNAME: kdc01.saitelitalia.local. (flags=f0, serial=164, ttl=900)
>   Name=ce746283-fab6-4a9c-a024-42c31ccf21b2, Records=1, Children=0
>     CNAME: kdc02.saitelitalia.local. (flags=f0, serial=177, ttl=0)
>   Name=dc, Records=0, Children=2
>   Name=domains, Records=0, Children=1
>   Name=gc, Records=0, Children=2
>   Name=kdc01, Records=1, Children=0
>     NS: 192.168.12.5. (flags=f0, serial=62, ttl=900)
>   Name=kdc02, Records=1, Children=0
>     NS: 192.168.12.2. (flags=f0, serial=149, ttl=900)
>   Name=pdc, Records=0, Children=1
> 
> The above command shows all DNS recors which are present on the related
> zone.
> 
> You can see that there are 2 CNAME records one for kdc01 and one for
> kdc02 (now I have re-joined kdc02):
> - Name=bdbaecef-ace9-4314-b65e-54933ac8b660 ... CNAME: kdc01. ...
> - Name=ce746283-fab6-4a9c-a024-42c31ccf21b2 ... CNAME: kdc02. ...
> 
> I found that after I demoted kdc02, it's record was still in the zone so
> I used samba-tool dns delete command to remove it:
> [root at kdc01:~]# samba-tool dns delete kdc01 _msdcs.saitelitalia.local
> ce746283-fab6-4a9c-a024-42c31ccf21b2 CNAME kdc02.saitelitalia.local. -U
> administrator
> 
> Obviously the names would change every time you (re)join a DC.
> 
> Hope this helps,
> Daniele.
> 
> 
Hello Daniele,

when I do the lookup on my DC I get the following

administrator at novadc01:/usr/local/samba/bin$ ./samba-tool dns query
novadc01 _msdcs.novanetwork.loc @ ALL -U administrator
Password for [NOVA\administrator]:
  Name=, Records=2, Children=0
    NS: NOVADC01.novanetwork.loc. (flags=600000f0, serial=1, ttl=900)
    SOA: serial=38, refresh=900, retry=600, expire=86400,
ns=novadc01.novanetwork.loc., email=hostmaster.novanetwork.loc.
(flags=600000f0, serial=38, ttl=3600)
  Name=7a16b14d-d320-4d7e-91a2-a61049a6f51e, Records=0, Children=0
  Name=c60bca82-df6e-409e-85c5-e2cc733691da, Records=1, Children=0
    CNAME: NOVADC01.novanetwork.loc. (flags=f0, serial=1, ttl=900)
  Name=dc, Records=0, Children=2
  Name=domains, Records=0, Children=1
  Name=gc, Records=0, Children=2
  Name=pdc, Records=0, Children=1


what puzzles me is that there is a record without a CNAME:

Name=7a16b14d-d320-4d7e-91a2-a61049a6f51e, Records=0, Children=0

I also do not have the equivalent of this entry:

Name=kdc01, Records=1, Children=0
    NS: 192.168.12.5. (flags=f0, serial=62, ttl=900)

best regards

Andraes


More information about the samba-technical mailing list