demote error

Daniele Dario d.dario76 at gmail.com
Wed Jun 27 03:26:54 MDT 2012 

On Wed, 2012-06-27 at 10:37 +0200, Andreas Oster wrote:
> Am 27.06.2012 10:22, schrieb Daniele Dario:
> > On Wed, 2012-06-27 at 09:57 +0200, Andreas Oster wrote:
> >> Am 27.06.2012 09:49, schrieb Daniele Dario:
> >>> On Wed, 2012-06-27 at 09:38 +0200, Andreas Oster wrote:
> >>>> Am 27.06.2012 09:24, schrieb Daniele Dario:
> >>>>> On Wed, 2012-06-27 at 07:29 +0200, Andreas Oster wrote:
> >>>>>> Am 12.04.2012 16:29, schrieb Daniele Dario:
> >>>>>>> Sorry,
> >>>>>>> the problem was that I didn't submit the -U administrator statement.
> >>>>>>>
> >>>>>>> Using it all works.
> >>>>>>>
> >>>>>>> Again sorry,
> >>>>>>> Daniele.
> >>>>>>>
> >>>>>>> On Thu, 2012-04-12 at 15:44 +0200, Daniele Dario wrote:
> >>>>>>>> Hi samba team,
> >>>>>>>> I've seen in other threads that with Version 4.0.0alpha20-GIT-81d1749
> >>>>>>>> replication of DNS partitions between DCs now should be automatic so I
> >>>>>>>> decided to try to demote my secondary DC to try to join it again to the
> >>>>>>>> domain and see if replication starts also for me.
> >>>>>>>>
> >>>>>>>> Trying to run samba-tool domain demote -d 10 it fails with
> >>>>>>>>
> >>>>>>>> ...
> >>>>>>>> ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
> >>>>>>>>      drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
> >>>>>>>>         out: struct drsuapi_DsReplicaSync
> >>>>>>>>             result                   : WERR_OK
> >>>>>>>> rpc reply data:
> >>>>>>>> [0000] 00 00 00 00                                       .... 
> >>>>>>>> lpcfg_servicenumber: couldn't find ldb
> >>>>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
> >>>>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> >>>>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
> >>>>>>>> netmask=255.255.255.0
> >>>>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
> >>>>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> >>>>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
> >>>>>>>> netmask=255.255.255.0
> >>>>>>>> Changing userControl and container
> >>>>>>>> Error while demoting, re-enabling inbound replication
> >>>>>>>> ldb:acl_modify: options
> >>>>>>>> Sorting rpmd with attid exception 3 rDN=CN DN=CN=NTDS
> >>>>>>>> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> >>>>>>>> ERROR(ldb): Error while changing account control - LDAP error 1
> >>>>>>>> LDAP_OPERATIONS_ERROR -  <00002020: Operation unavailable without
> >>>>>>>> authentication> <>
> >>>>>>>>   File
> >>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> >>>>>>>> line 288, in run
> >>>>>>>>     attrs=["userAccountControl"])
> >>>>>>>>
> >>>>>>>> how can I proceed to solve the problem?
> >>>>>>>>
> >>>>>>>> Thanks in advance,
> >>>>>>>> Daniele
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> Hello Daniele,
> >>>>>>
> >>>>>> can you tell me if samba needs to be stopped before demoting ?
> >>>>>>
> >>>>>> Thanks
> >>>>>>
> >>>>>> Andreas
> >>>>>>
> >>>>>>
> >>>>>
> >>>>> Hello Andreas,
> >>>>> I did not stop it when I demoted the DC.
> >>>>>
> >>>>> I think that stop samba on the DC to demote would prevent replicas/syncs
> >>>>> to other DCs so the command would fail.
> >>>>>
> >>>>> Daniele.
> >>>>>
> >>>>>
> >>>> Hello Daniele,
> >>>>
> >>>> thank you for the fast reply. You are right, samba needs to be running
> >>>> for demoting.
> >>>>
> >>>> I have managed to demote the second DC but am now stuck as I am unable
> >>>> to re-join it to the domain. I aways get errors when trying to do so :-(
> >>>> I already tried to add a a new posting but the attachment (log file)
> >>>> is to big and needs to be reviewed by the moderator.
> >>>>
> >>>> best regards
> >>>>
> >>>> Andreas
> >>>>
> >>>>
> >>>>
> >>>
> >>> Hi Andreas,
> >>> I've seen that after demote of "secondary" DCs, the DNS record related
> >>> to the DC is still present in the _msdcs zone (it happened to me, don't
> >>> know if it was due to me or to the fact I started with very old releases
> >>> and had to manually add the record).
> >>>
> >>> Once I manually removed it using samba-tool dns delete, I was again able
> >>> to re-join the DC and I've seen that with latest git version of samba4
> >>> replication started automatically also for DNS zones.
> >>>
> >>> Best regards,
> >>> Daniele.
> >>>
> >>>
> >> Hello Daniele,
> >>
> >> how can I check if these entries are still present in the primary DCs
> >> database, and if so, can you explain in more detail how to remove those
> >> entries ?
> >>
> >> Thank you very much for your kind help
> >>
> >> best regards
> >>
> >> Andreas
> > Hi Anreas,
> > to see records in DNS zones you can use samba-tool dns query.
> > My network has 2 DCs (kdc01 is PDC and kdc02 is BDC) and the realm is
> > saitelitalia.local where I have 2 forward zones and a reverse one:
> > - (fw) saitelitalia.local
> > - (fw) _msdcs.saitelitalia.local
> > - (rw) 12.168.192.in-addr.arpa
> > 
> > You can query the samba4 DNS using:
> > 
> > [root at kdc01:~]# samba-tool dns query kdc01 _msdcs.saitelitalia.local @
> > ALL -U administrator
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Using binding ncacn_ip_tcp:kdc01[,sign]
> > Password for [SAITELITALIA\administrator]:
> >   Name=, Records=3, Children=0
> >     NS: kdc01.saitelitalia.local. (flags=600000f0, serial=1, ttl=900)
> >     SOA: serial=178, refresh=900, retry=600, expire=86400,
> > ns=kdc01.saitelitalia.local., email=hostmaster.saitelitalia.local.
> > (flags=600000f0, serial=178, ttl=3600)
> >     NS: kdc02.saitelitalia.local. (flags=600000f0, serial=148, ttl=900)
> >   Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=1, Children=0
> >     CNAME: kdc01.saitelitalia.local. (flags=f0, serial=164, ttl=900)
> >   Name=ce746283-fab6-4a9c-a024-42c31ccf21b2, Records=1, Children=0
> >     CNAME: kdc02.saitelitalia.local. (flags=f0, serial=177, ttl=0)
> >   Name=dc, Records=0, Children=2
> >   Name=domains, Records=0, Children=1
> >   Name=gc, Records=0, Children=2
> >   Name=kdc01, Records=1, Children=0
> >     NS: 192.168.12.5. (flags=f0, serial=62, ttl=900)
> >   Name=kdc02, Records=1, Children=0
> >     NS: 192.168.12.2. (flags=f0, serial=149, ttl=900)
> >   Name=pdc, Records=0, Children=1
> > 
> > The above command shows all DNS recors which are present on the related
> > zone.
> > 
> > You can see that there are 2 CNAME records one for kdc01 and one for
> > kdc02 (now I have re-joined kdc02):
> > - Name=bdbaecef-ace9-4314-b65e-54933ac8b660 ... CNAME: kdc01. ...
> > - Name=ce746283-fab6-4a9c-a024-42c31ccf21b2 ... CNAME: kdc02. ...
> > 
> > I found that after I demoted kdc02, it's record was still in the zone so
> > I used samba-tool dns delete command to remove it:
> > [root at kdc01:~]# samba-tool dns delete kdc01 _msdcs.saitelitalia.local
> > ce746283-fab6-4a9c-a024-42c31ccf21b2 CNAME kdc02.saitelitalia.local. -U
> > administrator
> > 
> > Obviously the names would change every time you (re)join a DC.
> > 
> > Hope this helps,
> > Daniele.
> > 
> > 
> Hello Daniele,
> 
> when I do the lookup on my DC I get the following
> 
> administrator at novadc01:/usr/local/samba/bin$ ./samba-tool dns query
> novadc01 _msdcs.novanetwork.loc @ ALL -U administrator
> Password for [NOVA\administrator]:
>   Name=, Records=2, Children=0
>     NS: NOVADC01.novanetwork.loc. (flags=600000f0, serial=1, ttl=900)
>     SOA: serial=38, refresh=900, retry=600, expire=86400,
> ns=novadc01.novanetwork.loc., email=hostmaster.novanetwork.loc.
> (flags=600000f0, serial=38, ttl=3600)
>   Name=7a16b14d-d320-4d7e-91a2-a61049a6f51e, Records=0, Children=0
>   Name=c60bca82-df6e-409e-85c5-e2cc733691da, Records=1, Children=0
>     CNAME: NOVADC01.novanetwork.loc. (flags=f0, serial=1, ttl=900)
>   Name=dc, Records=0, Children=2
>   Name=domains, Records=0, Children=1
>   Name=gc, Records=0, Children=2
>   Name=pdc, Records=0, Children=1
> 
> 
> what puzzles me is that there is a record without a CNAME:
> 
> Name=7a16b14d-d320-4d7e-91a2-a61049a6f51e, Records=0, Children=0
> 
> I also do not have the equivalent of this entry:
> 
> Name=kdc01, Records=1, Children=0
>     NS: 192.168.12.5. (flags=f0, serial=62, ttl=900)
> 
> best regards
> 
> Andraes

mh ...
for now forget the NS records missing.
I found the same problem of the record without it's CNAME and it was a
blocker for the join (at least to me).

Trying to delete/modify the record with samba-tool dns will fail because
it tells you there is no records (you miss the CNAME) right?
Also adding a new record fails telling you that the record already
exists isn't it?

To remove the record I suggest (I made in this way) to use ldbdel:
administrator at novadc01:/usr/local/samba/private$ ldbdel -H sam.ldb -b
"DC=ForestDnsZones,DC=novanetwork,DC=loc"
"(name=7a16b14d-d320-4d7e-91a2-a61049a6f51e)"

BEFORE to try make a backup of your sam dbs: stop samba than tar your
private/ folder.

Daniele.

More information about the samba-technical mailing list