samba4.3.4: failure attempting to show/transfer/seize DomainDns FSMO role

Rowland Penny repenny241155 at gmail.com
Tue Jan 12 17:00:41 UTC 2016 

On 12/01/16 16:38, Daniele Dario wrote:
>
>
> On mar, 2016-01-12 at 16:25 +0000, Rowland Penny wrote:
>> On 12/01/16 15:06, Daniele Dario wrote:
>>> Hi Rowland,
>>> happy new year guys
>>>
>>>
>>> On mar, 2016-01-12 at 14:21 +0000, Rowland Penny wrote:
>>>> On 12/01/16 13:43, Daniele Dario wrote:
>>>>> Hi all,
>>>>> I just updated to samba 4.3.4 and before doing it I transferred all FSMO
>>>>> roles from kdc01 to kdc02 before start updating it.
>>>> What Samba version did you upgrade from?
>>>> I ask because before Samba version 4.3.0, fsmo.py only transferred 5 of
>>>> the 7 FSMO roles
>>>>
>>> Yeah, I was upgrading from 4.2.16
>>>
>>>>> After updated kdc01 I tried to transfer again all roles from kdc02 to
>>>>> kdc01 in order to update also kdc02 but I get this error:
>>>>>
>>>>> [root at kdc01:~]# samba-tool fsmo transfer --role=all
>>>>> ldb_wrap open of secrets.ldb
>>>>> This DC already has the 'rid' FSMO role
>>>>> This DC already has the 'pdc' FSMO role
>>>>> This DC already has the 'naming' FSMO role
>>>>> This DC already has the 'infrastructure' FSMO role
>>>>> This DC already has the 'schema' FSMO role
>>>>> ERROR(<type 'exceptions.UnboundLocalError'>): uncaught exception - local
>>>>> variable 'master_guid' referenced before assignment
>>>>>      File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>> line 175, in _run
>>>>>        return self.run(*args, **kwargs)
>>>>>      File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
>>>>> line 452, in run
>>>>>        transfer_dns_role(self.outf, sambaopts, credopts, "domaindns",
>>>>> samdb)
>>>>>      File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
>>>>> line 76, in transfer_dns_role
>>>>>        master_dns_name = '%s._msdcs.%s' % (master_guid,
>>>>>
>>>>> I get something similar also trying to seize the roles or even show
>>>>> them.
>>>>>
>>>>> Guess that I'm missing something inside my dbs even if samba-tool
>>>>> dbcheck says everything is ok.
>>>>>
>>>>> [root at kdc01:~]# ldbsearch -H /usr/local/samba/private/sam.ldb -b
>>>>> "CN=Infrastructure,DC=DomainDnsZones,DC=Saitel,DC=loc"
>>>>> GENSEC backend 'gssapi_spnego' registered
>>>>> GENSEC backend 'gssapi_krb5' registered
>>>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>>>> GENSEC backend 'spnego' registered
>>>>> GENSEC backend 'schannel' registered
>>>>> GENSEC backend 'naclrpc_as_system' registered
>>>>> GENSEC backend 'sasl-EXTERNAL' registered
>>>>> GENSEC backend 'ntlmssp' registered
>>>>> GENSEC backend 'http_basic' registered
>>>>> GENSEC backend 'http_ntlm' registered
>>>>> GENSEC backend 'krb5' registered
>>>>> GENSEC backend 'fake_gssapi_krb5' registered
>>>>> # record 1
>>>>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
>>>>> objectClass: top
>>>>> objectClass: infrastructureUpdate
>>>>> cn: Infrastructure
>>>>> instanceType: 4
>>>>> whenCreated: 20120924143109.0Z
>>>>> whenChanged: 20150422114545.0Z
>>>>> uSNCreated: 5263
>>>>> uSNChanged: 5263
>>>>> showInAdvancedViewOnly: TRUE
>>>>> name: Infrastructure
>>>>> objectGUID: 8f2c0c68-c571-4ffd-9413-0bb7384f70d4
>>>>> systemFlags: -1946157056
>>>>> objectCategory:
>>>>> CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saitel,
>>>>>     DC=loc
>>>>> isCriticalSystemObject: TRUE
>>>>> distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
>>>>>
>>>>> # returned 1 records
>>>>> # 1 entries
>>>>> # 0 referrals
>>>> It looks you need to add an fsmoroleowner for
>>>> 'CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc'
>>>>
>>>> Rowland
>>>>
>>>>> Any idea on how to fix this?
>>>>>
>>>>> Assuming that even with the fault the 5 roles have been transferred I
>>>>> also updated kdc02.
>>>>>
>>>>> Thanks in advance,
>>>>> Daniele.
>>>>>
>>>>>
>>> How do I add it?
>> Try 'samba-tool fsmo seize --force --role=domaindns -U Administrator' on
>> the DC that you want to hold this role (must be >= Samba 4.3.0
>>
>> Rowland
>>
>>> Just to say, wouldn't be useful to make samba-tool able to add (or ask
>>> to add) it directly?
>>>
>>> Daniele
>>>
>>
> Already tried :-(
>
> [root at kdc01:~]# samba-tool fsmo seize --force --role=domaindns -U
> Administrator
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> element'
>    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 352, in run
>      versionopts, force)
>    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 302, in seize_dns_role
>      master_owner = get_fsmo_roleowner(samdb, m.dn)
>    File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> line 43, in get_fsmo_roleowner
>      master_owner = res[0]["fSMORoleOwner"][0]
>
> Now samba is 4.3.4
>
> Guess that ldbmodify is the only choice but I don't know how to use it.
>
> Can you or someone post an hint?
>
>

OK, sounds like big hammer time :-D

First have a read here: 
https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles

I think the easiest way will be to use ldbedit, first check that there 
isn't a fsmo roleowner:

ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b 
"CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com" -s 
base fsmoroleowner

This should return nothing (perhaps an error message)

now try again with role that does have a role owner:

ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b 
"CN=Infrastructure,DC=samdom,DC=example,DC=com" -s base fsmoroleowner

That should return something like this:

# record 1
dn: CN=Infrastructure,DC=samdom,DC=example,DC=com
fSMORoleOwner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
  N=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

Now open ldbedit like this:

ldbedit --cross-ncs -e nano -H /usr/local/samba/private/sam.ldb -b 
"CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com"

Add the 'fSMORoleOwner' attribute that you obtained earlier:

fSMORoleOwner: CN=NTDS 
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
  N=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

Close and save nano with 'Ctrl-x'

try 'samba-tool fsmo show'

Hopefully this will now show the fsmo role owner for the domaindns, 
though you may have to do the same for the forestdns fsmorole.

Note: you do this at your own risk and ideally in a test setup.

I would also check that none of  your DCs hold the fsmoroles in question.

Rowland

More information about the samba-technical mailing list