samba4.3.4: failure attempting to show/transfer/seize DomainDns FSMO role
Rowland Penny
repenny241155 at gmail.com
Tue Jan 12 17:39:22 UTC 2016
On 12/01/16 17:23, Daniele Dario wrote:
>
> On mar, 2016-01-12 at 17:00 +0000, Rowland Penny wrote:
>> >On 12/01/16 16:38, Daniele Dario wrote:
>>> > >
>>> > >
>>> > >On mar, 2016-01-12 at 16:25 +0000, Rowland Penny wrote:
>>>> > >>On 12/01/16 15:06, Daniele Dario wrote:
>>>>> > >>>Hi Rowland,
>>>>> > >>>happy new year guys
>>>>> > >>>
>>>>> > >>>
>>>>> > >>>On mar, 2016-01-12 at 14:21 +0000, Rowland Penny wrote:
>>>>>> > >>>>On 12/01/16 13:43, Daniele Dario wrote:
>>>>>>> > >>>>>Hi all,
>>>>>>> > >>>>>I just updated to samba 4.3.4 and before doing it I transferred all FSMO
>>>>>>> > >>>>>roles from kdc01 to kdc02 before start updating it.
>>>>>> > >>>>What Samba version did you upgrade from?
>>>>>> > >>>>I ask because before Samba version 4.3.0, fsmo.py only transferred 5 of
>>>>>> > >>>>the 7 FSMO roles
>>>>>> > >>>>
>>>>> > >>>Yeah, I was upgrading from 4.2.16
>>>>> > >>>
>>>>>>> > >>>>>After updated kdc01 I tried to transfer again all roles from kdc02 to
>>>>>>> > >>>>>kdc01 in order to update also kdc02 but I get this error:
>>>>>>> > >>>>>
>>>>>>> > >>>>>[root at kdc01:~]# samba-tool fsmo transfer --role=all
>>>>>>> > >>>>>ldb_wrap open of secrets.ldb
>>>>>>> > >>>>>This DC already has the 'rid' FSMO role
>>>>>>> > >>>>>This DC already has the 'pdc' FSMO role
>>>>>>> > >>>>>This DC already has the 'naming' FSMO role
>>>>>>> > >>>>>This DC already has the 'infrastructure' FSMO role
>>>>>>> > >>>>>This DC already has the 'schema' FSMO role
>>>>>>> > >>>>>ERROR(<type 'exceptions.UnboundLocalError'>): uncaught exception - local
>>>>>>> > >>>>>variable 'master_guid' referenced before assignment
>>>>>>> > >>>>> File
>>>>>>> > >>>>>"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>>>> > >>>>>line 175, in _run
>>>>>>> > >>>>> return self.run(*args, **kwargs)
>>>>>>> > >>>>> File
>>>>>>> > >>>>>"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
>>>>>>> > >>>>>line 452, in run
>>>>>>> > >>>>> transfer_dns_role(self.outf, sambaopts, credopts, "domaindns",
>>>>>>> > >>>>>samdb)
>>>>>>> > >>>>> File
>>>>>>> > >>>>>"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
>>>>>>> > >>>>>line 76, in transfer_dns_role
>>>>>>> > >>>>> master_dns_name = '%s._msdcs.%s' % (master_guid,
>>>>>>> > >>>>>
>>>>>>> > >>>>>I get something similar also trying to seize the roles or even show
>>>>>>> > >>>>>them.
>>>>>>> > >>>>>
>>>>>>> > >>>>>Guess that I'm missing something inside my dbs even if samba-tool
>>>>>>> > >>>>>dbcheck says everything is ok.
>>>>>>> > >>>>>
>>>>>>> > >>>>>[root at kdc01:~]# ldbsearch -H /usr/local/samba/private/sam.ldb -b
>>>>>>> > >>>>>"CN=Infrastructure,DC=DomainDnsZones,DC=Saitel,DC=loc"
>>>>>>> > >>>>>GENSEC backend 'gssapi_spnego' registered
>>>>>>> > >>>>>GENSEC backend 'gssapi_krb5' registered
>>>>>>> > >>>>>GENSEC backend 'gssapi_krb5_sasl' registered
>>>>>>> > >>>>>GENSEC backend 'spnego' registered
>>>>>>> > >>>>>GENSEC backend 'schannel' registered
>>>>>>> > >>>>>GENSEC backend 'naclrpc_as_system' registered
>>>>>>> > >>>>>GENSEC backend 'sasl-EXTERNAL' registered
>>>>>>> > >>>>>GENSEC backend 'ntlmssp' registered
>>>>>>> > >>>>>GENSEC backend 'http_basic' registered
>>>>>>> > >>>>>GENSEC backend 'http_ntlm' registered
>>>>>>> > >>>>>GENSEC backend 'krb5' registered
>>>>>>> > >>>>>GENSEC backend 'fake_gssapi_krb5' registered
>>>>>>> > >>>>># record 1
>>>>>>> > >>>>>dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
>>>>>>> > >>>>>objectClass: top
>>>>>>> > >>>>>objectClass: infrastructureUpdate
>>>>>>> > >>>>>cn: Infrastructure
>>>>>>> > >>>>>instanceType: 4
>>>>>>> > >>>>>whenCreated: 20120924143109.0Z
>>>>>>> > >>>>>whenChanged: 20150422114545.0Z
>>>>>>> > >>>>>uSNCreated: 5263
>>>>>>> > >>>>>uSNChanged: 5263
>>>>>>> > >>>>>showInAdvancedViewOnly: TRUE
>>>>>>> > >>>>>name: Infrastructure
>>>>>>> > >>>>>objectGUID: 8f2c0c68-c571-4ffd-9413-0bb7384f70d4
>>>>>>> > >>>>>systemFlags: -1946157056
>>>>>>> > >>>>>objectCategory:
>>>>>>> > >>>>>CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saitel,
>>>>>>> > >>>>> DC=loc
>>>>>>> > >>>>>isCriticalSystemObject: TRUE
>>>>>>> > >>>>>distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
>>>>>>> > >>>>>
>>>>>>> > >>>>># returned 1 records
>>>>>>> > >>>>># 1 entries
>>>>>>> > >>>>># 0 referrals
>>>>>> > >>>>It looks you need to add an fsmoroleowner for
>>>>>> > >>>>'CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc'
>>>>>> > >>>>
>>>>>> > >>>>Rowland
>>>>>> > >>>>
>>>>>>> > >>>>>Any idea on how to fix this?
>>>>>>> > >>>>>
>>>>>>> > >>>>>Assuming that even with the fault the 5 roles have been transferred I
>>>>>>> > >>>>>also updated kdc02.
>>>>>>> > >>>>>
>>>>>>> > >>>>>Thanks in advance,
>>>>>>> > >>>>>Daniele.
>>>>>>> > >>>>>
>>>>>>> > >>>>>
>>>>> > >>>How do I add it?
>>>> > >>Try 'samba-tool fsmo seize --force --role=domaindns -U Administrator' on
>>>> > >>the DC that you want to hold this role (must be >= Samba 4.3.0
>>>> > >>
>>>> > >>Rowland
>>>> > >>
>>>>> > >>>Just to say, wouldn't be useful to make samba-tool able to add (or ask
>>>>> > >>>to add) it directly?
>>>>> > >>>
>>>>> > >>>Daniele
>>>>> > >>>
>>>> > >>
>>> > >Already tried:-(
>>> > >
>>> > >[root at kdc01:~]# samba-tool fsmo seize --force --role=domaindns -U
>>> > >Administrator
>>> > >ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
>>> > >element'
>>> > > File
>>> > >"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>> > >line 175, in _run
>>> > > return self.run(*args, **kwargs)
>>> > > File
>>> > >"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
>>> > >line 352, in run
>>> > > versionopts, force)
>>> > > File
>>> > >"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
>>> > >line 302, in seize_dns_role
>>> > > master_owner = get_fsmo_roleowner(samdb, m.dn)
>>> > > File
>>> > >"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
>>> > >line 43, in get_fsmo_roleowner
>>> > > master_owner = res[0]["fSMORoleOwner"][0]
>>> > >
>>> > >Now samba is 4.3.4
>>> > >
>>> > >Guess that ldbmodify is the only choice but I don't know how to use it.
>>> > >
>>> > >Can you or someone post an hint?
>>> > >
>>> > >
>> >
>> >OK, sounds like big hammer time:-D
>> >
>> >First have a read here:
>> >https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
>> >
>> >I think the easiest way will be to use ldbedit, first check that there
>> >isn't a fsmo roleowner:
>> >
>> >ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b
>> >"CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com" -s
>> >base fsmoroleowner
>> >
>> >This should return nothing (perhaps an error message)
>> >
>> >now try again with role that does have a role owner:
>> >
>> >ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b
>> >"CN=Infrastructure,DC=samdom,DC=example,DC=com" -s base fsmoroleowner
>> >
>> >That should return something like this:
>> >
>> ># record 1
>> >dn: CN=Infrastructure,DC=samdom,DC=example,DC=com
>> >fSMORoleOwner: CN=NTDS
>> >Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
>> > N=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>> >
>> >Now open ldbedit like this:
>> >
>> >ldbedit --cross-ncs -e nano -H /usr/local/samba/private/sam.ldb -b
>> >"CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com"
>> >
>> >Add the 'fSMORoleOwner' attribute that you obtained earlier:
>> >
>> >fSMORoleOwner: CN=NTDS
>> >Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
>> > N=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>> >
>> >Close and save nano with 'Ctrl-x'
>> >
>> >try 'samba-tool fsmo show'
>> >
>> >Hopefully this will now show the fsmo role owner for the domaindns,
>> >though you may have to do the same for the forestdns fsmorole.
>> >
>> >Note: you do this at your own risk and ideally in a test setup.
>> >
>> >I would also check that none of your DCs hold the fsmoroles in question.
>> >
>> >Rowland
>> >
> [root at kdc01:~]# ldbsearch --cross-ncs
> -H /usr/local/samba/private/sam.ldb -b
> "CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc" -s base
> fSMORoleOwner
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> Does this mean that I have it already set?
>
> If I use
>
> ldbedit --cross-ncs -e vim -H /usr/local/samba/private/sam.ldb -b
> "CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc"
>
> # editing 1 records
> # record 1
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
> objectClass: top
> objectClass: infrastructureUpdate
> cn: Infrastructure
> instanceType: 4
> whenCreated: 20120924143109.0Z
> whenChanged: 20150422114545.0Z
> uSNCreated: 5263
> uSNChanged: 5263
> showInAdvancedViewOnly: TRUE
> name: Infrastructure
> objectGUID: 8f2c0c68-c571-4ffd-9413-0bb7384f70d4
> systemFlags: -1946157056
> objectCategory:
> CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saitel,
> DC=loc
> isCriticalSystemObject: TRUE
> distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
>
> now, if I add on new line after distingushedName
>
> fSMORoleOwner: CN=NTDS
> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
>
> and save I get
>
> failed to modify CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc -
> SINGLE-VALUE attribute fSMORoleOwner on
> CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc specified more than
> once
>
Hmm, I think you may have an empty 'fSMORoleOwner' attribute, you could
try this:
create an ldif:
nano /tmp/fsmo.ldif
dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
changetype: modify
replace: fSMORoleOwner
fSMORoleOwner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
Then:
ldbmodify --cross-ncs -H /usr/local/samba/private/sam.ldb
/tmp/fsmo.ldif -UAdministrator
Rowland
More information about the samba-technical
mailing list