[PATCH] make samba-tool aware of all 7 fsmo roles

Rowland Penny repenny241155 at gmail.com
Wed May 20 10:48:12 MDT 2015 

On 20/05/15 17:33, Stefan (metze) Metzmacher wrote:
> Am 20.05.2015 um 18:21 schrieb Rowland Penny:
>> On 20/05/15 17:06, Stefan (metze) Metzmacher wrote:
>>> Hi Rowland,
>>>
>>>>> Can you change the commit message to this:
>>>>>
>>>>>        samba-tool: make 'samba-tool fsmo *' aware of all 7 fsmo roles
>>>>>
>>>>>        BUG: https://bugzilla.samba.org/show_bug.cgi?id=10734
>>>>>
>>>>>        Signed-off-by: Rowland Penny <repenny241155 at gmail.com>
>>>> Hi Stefan,
>>>>
>>>> Done
>>> I don't see an updated commit message...
>> Ah, sorry, missed the bug line.
>>
>>>>>> @@ -58,6 +59,26 @@ def transfer_role(outf, role, samdb):
>>>>>>             m["becomeSchemaMaster"]= ldb.MessageElement(
>>>>>>                 "1", ldb.FLAG_MOD_REPLACE,
>>>>>>                 "becomeSchemaMaster")
>>>>>> +    elif role == "domaindns":
>>>>>> +        # this would work in the same way as the infrastructure role
>>>>>> if the schema allowed it
>>>>>> +        # but it doesn't, so will have to sieze
>>>>> Can you explain this a bit?
>>>>> What is this different (in detail)?
>>>> To tranfer the main 5 roles, you just create an attribute called
>>>> 'become****' containing '1' in the DN that you want to transfer i.e.
>>>> create 'becomeRidMaster: 1' to transfer the RIDMaster role. There isn't
>>>> a 'become****' attribute for the two dns roles (or at least I cannot
>>>> find them and believe me, I tried), so it seems the only way to change
>>>> them is to seize them.
>>> Wouldn't it be better to simulate the becomeROLE change behaviour?
>> Well possibly, but how?
>> Please bear in mind, until I started looking into this, python was a
>> very big snake to me, I am used to writing bash scripts :-)
> :-)
>
> I'll try to come up with fix for it.

Hang on, I have been doing some more investigations into this and see 
here: https://msdn.microsoft.com/en-us/library/cc223309.aspx

It seems that you run the transfer on the DC you want to transfer the 
roles to, I suppose that 'becomeInfrastructureMaster' is a big clue :-)

There are no 'becomeDomainDNSMaster' & 'becomeForestDNSMaster' 
attributes, so, yes you could write something that sort of uses those 
attribute names but it would boil down in the end to basically what I 
came up with, changing the fSMORoleOwner contents, this is what 
'become*****' seems to do anyway i.e. it is just a shortcut!

Rowland

>>> We should do the change on the current master as that is still alive
>>> and it needs to give up the role before the new dc takes over.
>> Ah well, back to google (there are other internet search engines available)
>>
>>> Maybe it would work if we do the ldap modify on the current role owner
>>> and then send new owner a DsReplicaSync message to trigger an immediate
>>> replication
>>> from the old to the new owner.
>> How about if I remove the transfer part until I sort it out and just
>> change the show & sieze parts ?
> I think that would work, just print out a warning that "all" will skip
> the transfer.
>
> That would be still be a great improvement over the current situation.
>
> metze
>

More information about the samba-technical mailing list