samba4.3.4: failure attempting to show/transfer/seize DomainDns FSMO role
Daniele Dario
d.dario76 at gmail.com
Tue Jan 12 17:23:46 UTC 2016
On mar, 2016-01-12 at 17:00 +0000, Rowland Penny wrote:
> On 12/01/16 16:38, Daniele Dario wrote:
> >
> >
> > On mar, 2016-01-12 at 16:25 +0000, Rowland Penny wrote:
> >> On 12/01/16 15:06, Daniele Dario wrote:
> >>> Hi Rowland,
> >>> happy new year guys
> >>>
> >>>
> >>> On mar, 2016-01-12 at 14:21 +0000, Rowland Penny wrote:
> >>>> On 12/01/16 13:43, Daniele Dario wrote:
> >>>>> Hi all,
> >>>>> I just updated to samba 4.3.4 and before doing it I transferred all FSMO
> >>>>> roles from kdc01 to kdc02 before start updating it.
> >>>> What Samba version did you upgrade from?
> >>>> I ask because before Samba version 4.3.0, fsmo.py only transferred 5 of
> >>>> the 7 FSMO roles
> >>>>
> >>> Yeah, I was upgrading from 4.2.16
> >>>
> >>>>> After updated kdc01 I tried to transfer again all roles from kdc02 to
> >>>>> kdc01 in order to update also kdc02 but I get this error:
> >>>>>
> >>>>> [root at kdc01:~]# samba-tool fsmo transfer --role=all
> >>>>> ldb_wrap open of secrets.ldb
> >>>>> This DC already has the 'rid' FSMO role
> >>>>> This DC already has the 'pdc' FSMO role
> >>>>> This DC already has the 'naming' FSMO role
> >>>>> This DC already has the 'infrastructure' FSMO role
> >>>>> This DC already has the 'schema' FSMO role
> >>>>> ERROR(<type 'exceptions.UnboundLocalError'>): uncaught exception - local
> >>>>> variable 'master_guid' referenced before assignment
> >>>>> File
> >>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> >>>>> line 175, in _run
> >>>>> return self.run(*args, **kwargs)
> >>>>> File
> >>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> >>>>> line 452, in run
> >>>>> transfer_dns_role(self.outf, sambaopts, credopts, "domaindns",
> >>>>> samdb)
> >>>>> File
> >>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> >>>>> line 76, in transfer_dns_role
> >>>>> master_dns_name = '%s._msdcs.%s' % (master_guid,
> >>>>>
> >>>>> I get something similar also trying to seize the roles or even show
> >>>>> them.
> >>>>>
> >>>>> Guess that I'm missing something inside my dbs even if samba-tool
> >>>>> dbcheck says everything is ok.
> >>>>>
> >>>>> [root at kdc01:~]# ldbsearch -H /usr/local/samba/private/sam.ldb -b
> >>>>> "CN=Infrastructure,DC=DomainDnsZones,DC=Saitel,DC=loc"
> >>>>> GENSEC backend 'gssapi_spnego' registered
> >>>>> GENSEC backend 'gssapi_krb5' registered
> >>>>> GENSEC backend 'gssapi_krb5_sasl' registered
> >>>>> GENSEC backend 'spnego' registered
> >>>>> GENSEC backend 'schannel' registered
> >>>>> GENSEC backend 'naclrpc_as_system' registered
> >>>>> GENSEC backend 'sasl-EXTERNAL' registered
> >>>>> GENSEC backend 'ntlmssp' registered
> >>>>> GENSEC backend 'http_basic' registered
> >>>>> GENSEC backend 'http_ntlm' registered
> >>>>> GENSEC backend 'krb5' registered
> >>>>> GENSEC backend 'fake_gssapi_krb5' registered
> >>>>> # record 1
> >>>>> dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
> >>>>> objectClass: top
> >>>>> objectClass: infrastructureUpdate
> >>>>> cn: Infrastructure
> >>>>> instanceType: 4
> >>>>> whenCreated: 20120924143109.0Z
> >>>>> whenChanged: 20150422114545.0Z
> >>>>> uSNCreated: 5263
> >>>>> uSNChanged: 5263
> >>>>> showInAdvancedViewOnly: TRUE
> >>>>> name: Infrastructure
> >>>>> objectGUID: 8f2c0c68-c571-4ffd-9413-0bb7384f70d4
> >>>>> systemFlags: -1946157056
> >>>>> objectCategory:
> >>>>> CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saitel,
> >>>>> DC=loc
> >>>>> isCriticalSystemObject: TRUE
> >>>>> distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
> >>>>>
> >>>>> # returned 1 records
> >>>>> # 1 entries
> >>>>> # 0 referrals
> >>>> It looks you need to add an fsmoroleowner for
> >>>> 'CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc'
> >>>>
> >>>> Rowland
> >>>>
> >>>>> Any idea on how to fix this?
> >>>>>
> >>>>> Assuming that even with the fault the 5 roles have been transferred I
> >>>>> also updated kdc02.
> >>>>>
> >>>>> Thanks in advance,
> >>>>> Daniele.
> >>>>>
> >>>>>
> >>> How do I add it?
> >> Try 'samba-tool fsmo seize --force --role=domaindns -U Administrator' on
> >> the DC that you want to hold this role (must be >= Samba 4.3.0
> >>
> >> Rowland
> >>
> >>> Just to say, wouldn't be useful to make samba-tool able to add (or ask
> >>> to add) it directly?
> >>>
> >>> Daniele
> >>>
> >>
> > Already tried :-(
> >
> > [root at kdc01:~]# samba-tool fsmo seize --force --role=domaindns -U
> > Administrator
> > ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> > element'
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 175, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> > line 352, in run
> > versionopts, force)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> > line 302, in seize_dns_role
> > master_owner = get_fsmo_roleowner(samdb, m.dn)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> > line 43, in get_fsmo_roleowner
> > master_owner = res[0]["fSMORoleOwner"][0]
> >
> > Now samba is 4.3.4
> >
> > Guess that ldbmodify is the only choice but I don't know how to use it.
> >
> > Can you or someone post an hint?
> >
> >
>
> OK, sounds like big hammer time :-D
>
> First have a read here:
> https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
>
> I think the easiest way will be to use ldbedit, first check that there
> isn't a fsmo roleowner:
>
> ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b
> "CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com" -s
> base fsmoroleowner
>
> This should return nothing (perhaps an error message)
>
> now try again with role that does have a role owner:
>
> ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b
> "CN=Infrastructure,DC=samdom,DC=example,DC=com" -s base fsmoroleowner
>
> That should return something like this:
>
> # record 1
> dn: CN=Infrastructure,DC=samdom,DC=example,DC=com
> fSMORoleOwner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
> N=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> Now open ldbedit like this:
>
> ldbedit --cross-ncs -e nano -H /usr/local/samba/private/sam.ldb -b
> "CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com"
>
> Add the 'fSMORoleOwner' attribute that you obtained earlier:
>
> fSMORoleOwner: CN=NTDS
> Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
> N=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> Close and save nano with 'Ctrl-x'
>
> try 'samba-tool fsmo show'
>
> Hopefully this will now show the fsmo role owner for the domaindns,
> though you may have to do the same for the forestdns fsmorole.
>
> Note: you do this at your own risk and ideally in a test setup.
>
> I would also check that none of your DCs hold the fsmoroles in question.
>
> Rowland
>
[root at kdc01:~]# ldbsearch --cross-ncs
-H /usr/local/samba/private/sam.ldb -b
"CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc" -s base
fSMORoleOwner
# record 1
dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
# returned 1 records
# 1 entries
# 0 referrals
Does this mean that I have it already set?
If I use
ldbedit --cross-ncs -e vim -H /usr/local/samba/private/sam.ldb -b
"CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc"
# editing 1 records
# record 1
dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
objectClass: top
objectClass: infrastructureUpdate
cn: Infrastructure
instanceType: 4
whenCreated: 20120924143109.0Z
whenChanged: 20150422114545.0Z
uSNCreated: 5263
uSNChanged: 5263
showInAdvancedViewOnly: TRUE
name: Infrastructure
objectGUID: 8f2c0c68-c571-4ffd-9413-0bb7384f70d4
systemFlags: -1946157056
objectCategory:
CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saitel,
DC=loc
isCriticalSystemObject: TRUE
distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
now, if I add on new line after distingushedName
fSMORoleOwner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
and save I get
failed to modify CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc -
SINGLE-VALUE attribute fSMORoleOwner on
CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc specified more than
once
More information about the samba-technical
mailing list