demote error

Matthieu Patou mat at samba.org
Wed Jun 27 10:50:12 MDT 2012


On 06/27/2012 12:49 AM, Daniele Dario wrote:
> On Wed, 2012-06-27 at 09:38 +0200, Andreas Oster wrote:
>> Am 27.06.2012 09:24, schrieb Daniele Dario:
>>> On Wed, 2012-06-27 at 07:29 +0200, Andreas Oster wrote:
>>>> Am 12.04.2012 16:29, schrieb Daniele Dario:
>>>>> Sorry,
>>>>> the problem was that I didn't submit the -U administrator statement.
>>>>>
>>>>> Using it all works.
>>>>>
>>>>> Again sorry,
>>>>> Daniele.
>>>>>
>>>>> On Thu, 2012-04-12 at 15:44 +0200, Daniele Dario wrote:
>>>>>> Hi samba team,
>>>>>> I've seen in other threads that with Version 4.0.0alpha20-GIT-81d1749
>>>>>> replication of DNS partitions between DCs now should be automatic so I
>>>>>> decided to try to demote my secondary DC to try to join it again to the
>>>>>> domain and see if replication starts also for me.
>>>>>>
>>>>>> Trying to run samba-tool domain demote -d 10 it fails with
>>>>>>
>>>>>> ...
>>>>>> ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
>>>>>>       drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
>>>>>>          out: struct drsuapi_DsReplicaSync
>>>>>>              result                   : WERR_OK
>>>>>> rpc reply data:
>>>>>> [0000] 00 00 00 00                                       ....
>>>>>> lpcfg_servicenumber: couldn't find ldb
>>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
>>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
>>>>>> netmask=255.255.255.0
>>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
>>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
>>>>>> netmask=255.255.255.0
>>>>>> Changing userControl and container
>>>>>> Error while demoting, re-enabling inbound replication
>>>>>> ldb:acl_modify: options
>>>>>> Sorting rpmd with attid exception 3 rDN=CN DN=CN=NTDS
>>>>>> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>>>> ERROR(ldb): Error while changing account control - LDAP error 1
>>>>>> LDAP_OPERATIONS_ERROR -  <00002020: Operation unavailable without
>>>>>> authentication> <>
>>>>>>    File
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>>>>>> line 288, in run
>>>>>>      attrs=["userAccountControl"])
>>>>>>
>>>>>> how can I proceed to solve the problem?
>>>>>>
>>>>>> Thanks in advance,
>>>>>> Daniele
>>>>>>
>>>>>
>>>>>
>>>> Hello Daniele,
>>>>
>>>> can you tell me if samba needs to be stopped before demoting ?
>>>>
>>>> Thanks
>>>>
>>>> Andreas
>>>>
>>>>
>>> Hello Andreas,
>>> I did not stop it when I demoted the DC.
>>>
>>> I think that stop samba on the DC to demote would prevent replicas/syncs
>>> to other DCs so the command would fail.
>>>
>>> Daniele.
>>>
>>>
>> Hello Daniele,
>>
>> thank you for the fast reply. You are right, samba needs to be running
>> for demoting.
>>
>> I have managed to demote the second DC but am now stuck as I am unable
>> to re-join it to the domain. I aways get errors when trying to do so :-(
>> I already tried to add a a new posting but the attachment (log file)
>> is to big and needs to be reviewed by the moderator.
>>
>> best regards
>>
>> Andreas
>>
>>
>>
> Hi Andreas,
> I've seen that after demote of "secondary" DCs, the DNS record related
> to the DC is still present in the _msdcs zone (it happened to me, don't
> know if it was due to me or to the fact I started with very old releases
> and had to manually add the record).
When I wrote the demote option for samba-tool we didn't really had the 
DNS stored in the AD that's why I haven't done the cleanup of this 
records. I think adding the code in samba-tool shouldn't be too complicated.
If too complicated then please file a bug report for a enhancement request.
> Once I manually removed it using samba-tool dns delete, I was again able
> to re-join the DC and I've seen that with latest git version of samba4
> replication started automatically also for DNS zones.
I'm not too sure to understand why old DNS records would prevent samba 
to join a second time as a DC, it should in the end update the DNS 
records cleanly.

Matthieu.

-- 
Matthieu Patou
Samba Team
http://samba.org



More information about the samba-technical mailing list