demote error

Andreas Oster aoster at novanetwork.de
Wed Jun 27 03:34:36 MDT 2012


Am 27.06.2012 11:26, schrieb Daniele Dario:
> On Wed, 2012-06-27 at 10:37 +0200, Andreas Oster wrote:
>> Am 27.06.2012 10:22, schrieb Daniele Dario:
>>> On Wed, 2012-06-27 at 09:57 +0200, Andreas Oster wrote:
>>>> Am 27.06.2012 09:49, schrieb Daniele Dario:
>>>>> On Wed, 2012-06-27 at 09:38 +0200, Andreas Oster wrote:
>>>>>> Am 27.06.2012 09:24, schrieb Daniele Dario:
>>>>>>> On Wed, 2012-06-27 at 07:29 +0200, Andreas Oster wrote:
>>>>>>>> Am 12.04.2012 16:29, schrieb Daniele Dario:
>>>>>>>>> Sorry,
>>>>>>>>> the problem was that I didn't submit the -U administrator statement.
>>>>>>>>>
>>>>>>>>> Using it all works.
>>>>>>>>>
>>>>>>>>> Again sorry,
>>>>>>>>> Daniele.
>>>>>>>>>
>>>>>>>>> On Thu, 2012-04-12 at 15:44 +0200, Daniele Dario wrote:
>>>>>>>>>> Hi samba team,
>>>>>>>>>> I've seen in other threads that with Version 4.0.0alpha20-GIT-81d1749
>>>>>>>>>> replication of DNS partitions between DCs now should be automatic so I
>>>>>>>>>> decided to try to demote my secondary DC to try to join it again to the
>>>>>>>>>> domain and see if replication starts also for me.
>>>>>>>>>>
>>>>>>>>>> Trying to run samba-tool domain demote -d 10 it fails with
>>>>>>>>>>
>>>>>>>>>> ...
>>>>>>>>>> ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
>>>>>>>>>>      drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
>>>>>>>>>>         out: struct drsuapi_DsReplicaSync
>>>>>>>>>>             result                   : WERR_OK
>>>>>>>>>> rpc reply data:
>>>>>>>>>> [0000] 00 00 00 00                                       .... 
>>>>>>>>>> lpcfg_servicenumber: couldn't find ldb
>>>>>>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
>>>>>>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>>>>>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
>>>>>>>>>> netmask=255.255.255.0
>>>>>>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
>>>>>>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>>>>>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
>>>>>>>>>> netmask=255.255.255.0
>>>>>>>>>> Changing userControl and container
>>>>>>>>>> Error while demoting, re-enabling inbound replication
>>>>>>>>>> ldb:acl_modify: options
>>>>>>>>>> Sorting rpmd with attid exception 3 rDN=CN DN=CN=NTDS
>>>>>>>>>> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>>>>>>>> ERROR(ldb): Error while changing account control - LDAP error 1
>>>>>>>>>> LDAP_OPERATIONS_ERROR -  <00002020: Operation unavailable without
>>>>>>>>>> authentication> <>
>>>>>>>>>>   File
>>>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>>>>>>>>>> line 288, in run
>>>>>>>>>>     attrs=["userAccountControl"])
>>>>>>>>>>
>>>>>>>>>> how can I proceed to solve the problem?
>>>>>>>>>>
>>>>>>>>>> Thanks in advance,
>>>>>>>>>> Daniele
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Hello Daniele,
>>>>>>>>
>>>>>>>> can you tell me if samba needs to be stopped before demoting ?
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> Andreas
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Hello Andreas,
>>>>>>> I did not stop it when I demoted the DC.
>>>>>>>
>>>>>>> I think that stop samba on the DC to demote would prevent replicas/syncs
>>>>>>> to other DCs so the command would fail.
>>>>>>>
>>>>>>> Daniele.
>>>>>>>
>>>>>>>
>>>>>> Hello Daniele,
>>>>>>
>>>>>> thank you for the fast reply. You are right, samba needs to be running
>>>>>> for demoting.
>>>>>>
>>>>>> I have managed to demote the second DC but am now stuck as I am unable
>>>>>> to re-join it to the domain. I aways get errors when trying to do so :-(
>>>>>> I already tried to add a a new posting but the attachment (log file)
>>>>>> is to big and needs to be reviewed by the moderator.
>>>>>>
>>>>>> best regards
>>>>>>
>>>>>> Andreas
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Hi Andreas,
>>>>> I've seen that after demote of "secondary" DCs, the DNS record related
>>>>> to the DC is still present in the _msdcs zone (it happened to me, don't
>>>>> know if it was due to me or to the fact I started with very old releases
>>>>> and had to manually add the record).
>>>>>
>>>>> Once I manually removed it using samba-tool dns delete, I was again able
>>>>> to re-join the DC and I've seen that with latest git version of samba4
>>>>> replication started automatically also for DNS zones.
>>>>>
>>>>> Best regards,
>>>>> Daniele.
>>>>>
>>>>>
>>>> Hello Daniele,
>>>>
>>>> how can I check if these entries are still present in the primary DCs
>>>> database, and if so, can you explain in more detail how to remove those
>>>> entries ?
>>>>
>>>> Thank you very much for your kind help
>>>>
>>>> best regards
>>>>
>>>> Andreas
>>> Hi Anreas,
>>> to see records in DNS zones you can use samba-tool dns query.
>>> My network has 2 DCs (kdc01 is PDC and kdc02 is BDC) and the realm is
>>> saitelitalia.local where I have 2 forward zones and a reverse one:
>>> - (fw) saitelitalia.local
>>> - (fw) _msdcs.saitelitalia.local
>>> - (rw) 12.168.192.in-addr.arpa
>>>
>>> You can query the samba4 DNS using:
>>>
>>> [root at kdc01:~]# samba-tool dns query kdc01 _msdcs.saitelitalia.local @
>>> ALL -U administrator
>>> GENSEC backend 'gssapi_spnego' registered
>>> GENSEC backend 'gssapi_krb5' registered
>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>> GENSEC backend 'schannel' registered
>>> GENSEC backend 'spnego' registered
>>> GENSEC backend 'ntlmssp' registered
>>> GENSEC backend 'krb5' registered
>>> GENSEC backend 'fake_gssapi_krb5' registered
>>> Using binding ncacn_ip_tcp:kdc01[,sign]
>>> Password for [SAITELITALIA\administrator]:
>>>   Name=, Records=3, Children=0
>>>     NS: kdc01.saitelitalia.local. (flags=600000f0, serial=1, ttl=900)
>>>     SOA: serial=178, refresh=900, retry=600, expire=86400,
>>> ns=kdc01.saitelitalia.local., email=hostmaster.saitelitalia.local.
>>> (flags=600000f0, serial=178, ttl=3600)
>>>     NS: kdc02.saitelitalia.local. (flags=600000f0, serial=148, ttl=900)
>>>   Name=bdbaecef-ace9-4314-b65e-54933ac8b660, Records=1, Children=0
>>>     CNAME: kdc01.saitelitalia.local. (flags=f0, serial=164, ttl=900)
>>>   Name=ce746283-fab6-4a9c-a024-42c31ccf21b2, Records=1, Children=0
>>>     CNAME: kdc02.saitelitalia.local. (flags=f0, serial=177, ttl=0)
>>>   Name=dc, Records=0, Children=2
>>>   Name=domains, Records=0, Children=1
>>>   Name=gc, Records=0, Children=2
>>>   Name=kdc01, Records=1, Children=0
>>>     NS: 192.168.12.5. (flags=f0, serial=62, ttl=900)
>>>   Name=kdc02, Records=1, Children=0
>>>     NS: 192.168.12.2. (flags=f0, serial=149, ttl=900)
>>>   Name=pdc, Records=0, Children=1
>>>
>>> The above command shows all DNS recors which are present on the related
>>> zone.
>>>
>>> You can see that there are 2 CNAME records one for kdc01 and one for
>>> kdc02 (now I have re-joined kdc02):
>>> - Name=bdbaecef-ace9-4314-b65e-54933ac8b660 ... CNAME: kdc01. ...
>>> - Name=ce746283-fab6-4a9c-a024-42c31ccf21b2 ... CNAME: kdc02. ...
>>>
>>> I found that after I demoted kdc02, it's record was still in the zone so
>>> I used samba-tool dns delete command to remove it:
>>> [root at kdc01:~]# samba-tool dns delete kdc01 _msdcs.saitelitalia.local
>>> ce746283-fab6-4a9c-a024-42c31ccf21b2 CNAME kdc02.saitelitalia.local. -U
>>> administrator
>>>
>>> Obviously the names would change every time you (re)join a DC.
>>>
>>> Hope this helps,
>>> Daniele.
>>>
>>>
>> Hello Daniele,
>>
>> when I do the lookup on my DC I get the following
>>
>> administrator at novadc01:/usr/local/samba/bin$ ./samba-tool dns query
>> novadc01 _msdcs.novanetwork.loc @ ALL -U administrator
>> Password for [NOVA\administrator]:
>>   Name=, Records=2, Children=0
>>     NS: NOVADC01.novanetwork.loc. (flags=600000f0, serial=1, ttl=900)
>>     SOA: serial=38, refresh=900, retry=600, expire=86400,
>> ns=novadc01.novanetwork.loc., email=hostmaster.novanetwork.loc.
>> (flags=600000f0, serial=38, ttl=3600)
>>   Name=7a16b14d-d320-4d7e-91a2-a61049a6f51e, Records=0, Children=0
>>   Name=c60bca82-df6e-409e-85c5-e2cc733691da, Records=1, Children=0
>>     CNAME: NOVADC01.novanetwork.loc. (flags=f0, serial=1, ttl=900)
>>   Name=dc, Records=0, Children=2
>>   Name=domains, Records=0, Children=1
>>   Name=gc, Records=0, Children=2
>>   Name=pdc, Records=0, Children=1
>>
>>
>> what puzzles me is that there is a record without a CNAME:
>>
>> Name=7a16b14d-d320-4d7e-91a2-a61049a6f51e, Records=0, Children=0
>>
>> I also do not have the equivalent of this entry:
>>
>> Name=kdc01, Records=1, Children=0
>>     NS: 192.168.12.5. (flags=f0, serial=62, ttl=900)
>>
>> best regards
>>
>> Andraes
> 
> mh ...
> for now forget the NS records missing.
> I found the same problem of the record without it's CNAME and it was a
> blocker for the join (at least to me).
> 
> Trying to delete/modify the record with samba-tool dns will fail because
> it tells you there is no records (you miss the CNAME) right?
> Also adding a new record fails telling you that the record already
> exists isn't it?
> 
> To remove the record I suggest (I made in this way) to use ldbdel:
> administrator at novadc01:/usr/local/samba/private$ ldbdel -H sam.ldb -b
> "DC=ForestDnsZones,DC=novanetwork,DC=loc"
> "(name=7a16b14d-d320-4d7e-91a2-a61049a6f51e)"
> 
> BEFORE to try make a backup of your sam dbs: stop samba than tar your
> private/ folder.
> 
> Daniele.
> 
> 
Hello Daniele,

Thanks, I will give it a try this evening.

regards

Andreas





More information about the samba-technical mailing list