demote error

Matthieu Patou mat at samba.org
Fri Jun 29 21:54:34 MDT 2012 

On 06/28/2012 01:18 AM, Daniele Dario wrote:
> On Wed, 2012-06-27 at 09:50 -0700, Matthieu Patou wrote:
>> On 06/27/2012 12:49 AM, Daniele Dario wrote:
>>> On Wed, 2012-06-27 at 09:38 +0200, Andreas Oster wrote:
>>>> Am 27.06.2012 09:24, schrieb Daniele Dario:
>>>>> On Wed, 2012-06-27 at 07:29 +0200, Andreas Oster wrote:
>>>>>> Am 12.04.2012 16:29, schrieb Daniele Dario:
>>>>>>> Sorry,
>>>>>>> the problem was that I didn't submit the -U administrator statement.
>>>>>>>
>>>>>>> Using it all works.
>>>>>>>
>>>>>>> Again sorry,
>>>>>>> Daniele.
>>>>>>>
>>>>>>> On Thu, 2012-04-12 at 15:44 +0200, Daniele Dario wrote:
>>>>>>>> Hi samba team,
>>>>>>>> I've seen in other threads that with Version 4.0.0alpha20-GIT-81d1749
>>>>>>>> replication of DNS partitions between DCs now should be automatic so I
>>>>>>>> decided to try to demote my secondary DC to try to join it again to the
>>>>>>>> domain and see if replication starts also for me.
>>>>>>>>
>>>>>>>> Trying to run samba-tool domain demote -d 10 it fails with
>>>>>>>>
>>>>>>>> ...
>>>>>>>> ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
>>>>>>>>        drsuapi_DsReplicaSync: struct drsuapi_DsReplicaSync
>>>>>>>>           out: struct drsuapi_DsReplicaSync
>>>>>>>>               result                   : WERR_OK
>>>>>>>> rpc reply data:
>>>>>>>> [0000] 00 00 00 00                                       ....
>>>>>>>> lpcfg_servicenumber: couldn't find ldb
>>>>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
>>>>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>>>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
>>>>>>>> netmask=255.255.255.0
>>>>>>>> added interface eth0 ip=fe80::20e:cff:fe3c:b729%eth0
>>>>>>>> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>>>>>>>> added interface eth0 ip=192.168.12.2 bcast=192.168.12.255
>>>>>>>> netmask=255.255.255.0
>>>>>>>> Changing userControl and container
>>>>>>>> Error while demoting, re-enabling inbound replication
>>>>>>>> ldb:acl_modify: options
>>>>>>>> Sorting rpmd with attid exception 3 rDN=CN DN=CN=NTDS
>>>>>>>> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
>>>>>>>> ERROR(ldb): Error while changing account control - LDAP error 1
>>>>>>>> LDAP_OPERATIONS_ERROR -  <00002020: Operation unavailable without
>>>>>>>> authentication> <>
>>>>>>>>     File
>>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
>>>>>>>> line 288, in run
>>>>>>>>       attrs=["userAccountControl"])
>>>>>>>>
>>>>>>>> how can I proceed to solve the problem?
>>>>>>>>
>>>>>>>> Thanks in advance,
>>>>>>>> Daniele
>>>>>>>>
>>>>>>>
>>>>>> Hello Daniele,
>>>>>>
>>>>>> can you tell me if samba needs to be stopped before demoting ?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Andreas
>>>>>>
>>>>>>
>>>>> Hello Andreas,
>>>>> I did not stop it when I demoted the DC.
>>>>>
>>>>> I think that stop samba on the DC to demote would prevent replicas/syncs
>>>>> to other DCs so the command would fail.
>>>>>
>>>>> Daniele.
>>>>>
>>>>>
>>>> Hello Daniele,
>>>>
>>>> thank you for the fast reply. You are right, samba needs to be running
>>>> for demoting.
>>>>
>>>> I have managed to demote the second DC but am now stuck as I am unable
>>>> to re-join it to the domain. I aways get errors when trying to do so :-(
>>>> I already tried to add a a new posting but the attachment (log file)
>>>> is to big and needs to be reviewed by the moderator.
>>>>
>>>> best regards
>>>>
>>>> Andreas
>>>>
>>>>
>>>>
>>> Hi Andreas,
>>> I've seen that after demote of "secondary" DCs, the DNS record related
>>> to the DC is still present in the _msdcs zone (it happened to me, don't
>>> know if it was due to me or to the fact I started with very old releases
>>> and had to manually add the record).
>> When I wrote the demote option for samba-tool we didn't really had the
>> DNS stored in the AD that's why I haven't done the cleanup of this
>> records. I think adding the code in samba-tool shouldn't be too complicated.
>> If too complicated then please file a bug report for a enhancement request.
>>> Once I manually removed it using samba-tool dns delete, I was again able
>>> to re-join the DC and I've seen that with latest git version of samba4
>>> replication started automatically also for DNS zones.
>> I'm not too sure to understand why old DNS records would prevent samba
>> to join a second time as a DC, it should in the end update the DNS
>> records cleanly.
>>
>> Matthieu.
>>
> Hi Matthieu,
> that's my fault. The problem I had was not with not cleaned records.
>
> As Andreas I had the record of secondary DC like
> Name=7a16b14d-d320-4d7e-91a2-a61049a6f51e, Records=0, Children=0
> which was missing the CNAME part.
>
> Trying to manually remove/modify the record with samba-tool if failed
> (don't remember the code and can't reproduce it now) and also samba-tool
> add a new record told record already exists.
>
> During re-join I had failures and tried to find why. When I found that
> "wrong" record, I managed to remove it only with ldbedit/ldbdel and
> after removed I've been able to re-join DC.
>
> At this point I don't know if it was the problem or not but just told my
> experience.
Ok please do us a favor: file a bug and put me in copy of this one. I'm 
planning to have a closer look at DNS stuff in the couple of days. There 
is issues with ACLs that we have to fix for DNS records I highly doubt 
that they are related to your problem but once I'll be in this area of 
the code I can have a closer look.

Matthieu.


-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba-technical mailing list