demote error

Daniele Dario d.dario76 at gmail.com
Thu Jun 28 02:18:07 MDT 2012 

On Wed, 2012-06-27 at 09:50 -0700, Matthieu Patou wrote:
> On 06/27/2012 12:49 AM, Daniele Dario wrote:
> > On Wed, 2012-06-27 at 09:38 +0200, Andreas Oster wrote:
> >> Am 27.06.2012 09:24, schrieb Daniele Dario:
> >>> On Wed, 2012-06-27 at 07:29 +0200, Andreas Oster wrote:
> >>>> Am 12.04.2012 16:29, schrieb Daniele Dario:
> >>>>> Sorry,
> >>>>> the problem was that I didn't submit the -U administrator statement.
> >>>>>
> >>>>> Using it all works.
> >>>>>
> >>>>> Again sorry,
> >>>>> Daniele.
> >>>>>
> >>>>> On Thu, 2012-04-12 at 15:44 +0200, Daniele Dario wrote:
> >>>>>> Hi samba team,
> >>>>>> I've seen in other threads that with Version 4.0.0alpha20-GIT-81d1749
> >>>>>> replication of DNS partitions between DCs now should be automatic so I
> >>>>>> decided to try to demote my secondary DC to try to join it again to the
> >>>>>> domain and see if replication starts also for me.
> >>>>>>
> >>>>>> Trying to run samba-tool domain demote -d 10 it fails with
> >>>>>>
> >>>>>> ...
> >>>>>> ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
> >>>>>>       drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
> >>>>>>          out: struct drsuapi_DsReplicaSync
> >>>>>>              result                   : WERR_OK
> >>>>>> rpc reply data:
> >>>>>> [0000] 00 00 00 00                                       ....
> >>>>>> lpcfg_servicenumber: couldn't find ldb
> >>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
> >>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> >>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
> >>>>>> netmask=255.255.255.0
> >>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
> >>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> >>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
> >>>>>> netmask=255.255.255.0
> >>>>>> Changing userControl and container
> >>>>>> Error while demoting, re-enabling inbound replication
> >>>>>> ldb:acl_modify: options
> >>>>>> Sorting rpmd with attid exception 3 rDN=CN DN=CN=NTDS
> >>>>>> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
> >>>>>> ERROR(ldb): Error while changing account control - LDAP error 1
> >>>>>> LDAP_OPERATIONS_ERROR -  <00002020: Operation unavailable without
> >>>>>> authentication> <>
> >>>>>>    File
> >>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> >>>>>> line 288, in run
> >>>>>>      attrs=["userAccountControl"])
> >>>>>>
> >>>>>> how can I proceed to solve the problem?
> >>>>>>
> >>>>>> Thanks in advance,
> >>>>>> Daniele
> >>>>>>
> >>>>>
> >>>>>
> >>>> Hello Daniele,
> >>>>
> >>>> can you tell me if samba needs to be stopped before demoting ?
> >>>>
> >>>> Thanks
> >>>>
> >>>> Andreas
> >>>>
> >>>>
> >>> Hello Andreas,
> >>> I did not stop it when I demoted the DC.
> >>>
> >>> I think that stop samba on the DC to demote would prevent replicas/syncs
> >>> to other DCs so the command would fail.
> >>>
> >>> Daniele.
> >>>
> >>>
> >> Hello Daniele,
> >>
> >> thank you for the fast reply. You are right, samba needs to be running
> >> for demoting.
> >>
> >> I have managed to demote the second DC but am now stuck as I am unable
> >> to re-join it to the domain. I aways get errors when trying to do so :-(
> >> I already tried to add a a new posting but the attachment (log file)
> >> is to big and needs to be reviewed by the moderator.
> >>
> >> best regards
> >>
> >> Andreas
> >>
> >>
> >>
> > Hi Andreas,
> > I've seen that after demote of "secondary" DCs, the DNS record related
> > to the DC is still present in the _msdcs zone (it happened to me, don't
> > know if it was due to me or to the fact I started with very old releases
> > and had to manually add the record).
> When I wrote the demote option for samba-tool we didn't really had the 
> DNS stored in the AD that's why I haven't done the cleanup of this 
> records. I think adding the code in samba-tool shouldn't be too complicated.
> If too complicated then please file a bug report for a enhancement request.
> > Once I manually removed it using samba-tool dns delete, I was again able
> > to re-join the DC and I've seen that with latest git version of samba4
> > replication started automatically also for DNS zones.
> I'm not too sure to understand why old DNS records would prevent samba 
> to join a second time as a DC, it should in the end update the DNS 
> records cleanly.
> 
> Matthieu.
> 
Hi Matthieu,
that's my fault. The problem I had was not with not cleaned records.

As Andreas I had the record of secondary DC like
Name=7a16b14d-d320-4d7e-91a2-a61049a6f51e, Records=0, Children=0
which was missing the CNAME part.

Trying to manually remove/modify the record with samba-tool if failed
(don't remember the code and can't reproduce it now) and also samba-tool
add a new record told record already exists.

During re-join I had failures and tried to find why. When I found that
"wrong" record, I managed to remove it only with ldbedit/ldbdel and
after removed I've been able to re-join DC.

At this point I don't know if it was the problem or not but just told my
experience.

Regards,
Daniele.

More information about the samba-technical mailing list