samba4.3.4: failure attempting to show/transfer/seize DomainDns FSMO role
Daniele Dario
d.dario76 at gmail.com
Wed Jan 13 10:19:05 UTC 2016
On mar, 2016-01-12 at 17:39 +0000, Rowland Penny wrote:
> On 12/01/16 17:23, Daniele Dario wrote:
> >
> > On mar, 2016-01-12 at 17:00 +0000, Rowland Penny wrote:
> >> >On 12/01/16 16:38, Daniele Dario wrote:
> >>> > >
> >>> > >
> >>> > >On mar, 2016-01-12 at 16:25 +0000, Rowland Penny wrote:
> >>>> > >>On 12/01/16 15:06, Daniele Dario wrote:
> >>>>> > >>>Hi Rowland,
> >>>>> > >>>happy new year guys
> >>>>> > >>>
> >>>>> > >>>
> >>>>> > >>>On mar, 2016-01-12 at 14:21 +0000, Rowland Penny wrote:
> >>>>>> > >>>>On 12/01/16 13:43, Daniele Dario wrote:
> >>>>>>> > >>>>>Hi all,
> >>>>>>> > >>>>>I just updated to samba 4.3.4 and before doing it I transferred all FSMO
> >>>>>>> > >>>>>roles from kdc01 to kdc02 before start updating it.
> >>>>>> > >>>>What Samba version did you upgrade from?
> >>>>>> > >>>>I ask because before Samba version 4.3.0, fsmo.py only transferred 5 of
> >>>>>> > >>>>the 7 FSMO roles
> >>>>>> > >>>>
> >>>>> > >>>Yeah, I was upgrading from 4.2.16
> >>>>> > >>>
> >>>>>>> > >>>>>After updated kdc01 I tried to transfer again all roles from kdc02 to
> >>>>>>> > >>>>>kdc01 in order to update also kdc02 but I get this error:
> >>>>>>> > >>>>>
> >>>>>>> > >>>>>[root at kdc01:~]# samba-tool fsmo transfer --role=all
> >>>>>>> > >>>>>ldb_wrap open of secrets.ldb
> >>>>>>> > >>>>>This DC already has the 'rid' FSMO role
> >>>>>>> > >>>>>This DC already has the 'pdc' FSMO role
> >>>>>>> > >>>>>This DC already has the 'naming' FSMO role
> >>>>>>> > >>>>>This DC already has the 'infrastructure' FSMO role
> >>>>>>> > >>>>>This DC already has the 'schema' FSMO role
> >>>>>>> > >>>>>ERROR(<type 'exceptions.UnboundLocalError'>): uncaught exception - local
> >>>>>>> > >>>>>variable 'master_guid' referenced before assignment
> >>>>>>> > >>>>> File
> >>>>>>> > >>>>>"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> >>>>>>> > >>>>>line 175, in _run
> >>>>>>> > >>>>> return self.run(*args, **kwargs)
> >>>>>>> > >>>>> File
> >>>>>>> > >>>>>"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> >>>>>>> > >>>>>line 452, in run
> >>>>>>> > >>>>> transfer_dns_role(self.outf, sambaopts, credopts, "domaindns",
> >>>>>>> > >>>>>samdb)
> >>>>>>> > >>>>> File
> >>>>>>> > >>>>>"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> >>>>>>> > >>>>>line 76, in transfer_dns_role
> >>>>>>> > >>>>> master_dns_name = '%s._msdcs.%s' % (master_guid,
> >>>>>>> > >>>>>
> >>>>>>> > >>>>>I get something similar also trying to seize the roles or even show
> >>>>>>> > >>>>>them.
> >>>>>>> > >>>>>
> >>>>>>> > >>>>>Guess that I'm missing something inside my dbs even if samba-tool
> >>>>>>> > >>>>>dbcheck says everything is ok.
> >>>>>>> > >>>>>
> >>>>>>> > >>>>>[root at kdc01:~]# ldbsearch -H /usr/local/samba/private/sam.ldb -b
> >>>>>>> > >>>>>"CN=Infrastructure,DC=DomainDnsZones,DC=Saitel,DC=loc"
> >>>>>>> > >>>>>GENSEC backend 'gssapi_spnego' registered
> >>>>>>> > >>>>>GENSEC backend 'gssapi_krb5' registered
> >>>>>>> > >>>>>GENSEC backend 'gssapi_krb5_sasl' registered
> >>>>>>> > >>>>>GENSEC backend 'spnego' registered
> >>>>>>> > >>>>>GENSEC backend 'schannel' registered
> >>>>>>> > >>>>>GENSEC backend 'naclrpc_as_system' registered
> >>>>>>> > >>>>>GENSEC backend 'sasl-EXTERNAL' registered
> >>>>>>> > >>>>>GENSEC backend 'ntlmssp' registered
> >>>>>>> > >>>>>GENSEC backend 'http_basic' registered
> >>>>>>> > >>>>>GENSEC backend 'http_ntlm' registered
> >>>>>>> > >>>>>GENSEC backend 'krb5' registered
> >>>>>>> > >>>>>GENSEC backend 'fake_gssapi_krb5' registered
> >>>>>>> > >>>>># record 1
> >>>>>>> > >>>>>dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
> >>>>>>> > >>>>>objectClass: top
> >>>>>>> > >>>>>objectClass: infrastructureUpdate
> >>>>>>> > >>>>>cn: Infrastructure
> >>>>>>> > >>>>>instanceType: 4
> >>>>>>> > >>>>>whenCreated: 20120924143109.0Z
> >>>>>>> > >>>>>whenChanged: 20150422114545.0Z
> >>>>>>> > >>>>>uSNCreated: 5263
> >>>>>>> > >>>>>uSNChanged: 5263
> >>>>>>> > >>>>>showInAdvancedViewOnly: TRUE
> >>>>>>> > >>>>>name: Infrastructure
> >>>>>>> > >>>>>objectGUID: 8f2c0c68-c571-4ffd-9413-0bb7384f70d4
> >>>>>>> > >>>>>systemFlags: -1946157056
> >>>>>>> > >>>>>objectCategory:
> >>>>>>> > >>>>>CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saitel,
> >>>>>>> > >>>>> DC=loc
> >>>>>>> > >>>>>isCriticalSystemObject: TRUE
> >>>>>>> > >>>>>distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
> >>>>>>> > >>>>>
> >>>>>>> > >>>>># returned 1 records
> >>>>>>> > >>>>># 1 entries
> >>>>>>> > >>>>># 0 referrals
> >>>>>> > >>>>It looks you need to add an fsmoroleowner for
> >>>>>> > >>>>'CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc'
> >>>>>> > >>>>
> >>>>>> > >>>>Rowland
> >>>>>> > >>>>
> >>>>>>> > >>>>>Any idea on how to fix this?
> >>>>>>> > >>>>>
> >>>>>>> > >>>>>Assuming that even with the fault the 5 roles have been transferred I
> >>>>>>> > >>>>>also updated kdc02.
> >>>>>>> > >>>>>
> >>>>>>> > >>>>>Thanks in advance,
> >>>>>>> > >>>>>Daniele.
> >>>>>>> > >>>>>
> >>>>>>> > >>>>>
> >>>>> > >>>How do I add it?
> >>>> > >>Try 'samba-tool fsmo seize --force --role=domaindns -U Administrator' on
> >>>> > >>the DC that you want to hold this role (must be >= Samba 4.3.0
> >>>> > >>
> >>>> > >>Rowland
> >>>> > >>
> >>>>> > >>>Just to say, wouldn't be useful to make samba-tool able to add (or ask
> >>>>> > >>>to add) it directly?
> >>>>> > >>>
> >>>>> > >>>Daniele
> >>>>> > >>>
> >>>> > >>
> >>> > >Already tried:-(
> >>> > >
> >>> > >[root at kdc01:~]# samba-tool fsmo seize --force --role=domaindns -U
> >>> > >Administrator
> >>> > >ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such
> >>> > >element'
> >>> > > File
> >>> > >"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> >>> > >line 175, in _run
> >>> > > return self.run(*args, **kwargs)
> >>> > > File
> >>> > >"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> >>> > >line 352, in run
> >>> > > versionopts, force)
> >>> > > File
> >>> > >"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> >>> > >line 302, in seize_dns_role
> >>> > > master_owner = get_fsmo_roleowner(samdb, m.dn)
> >>> > > File
> >>> > >"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
> >>> > >line 43, in get_fsmo_roleowner
> >>> > > master_owner = res[0]["fSMORoleOwner"][0]
> >>> > >
> >>> > >Now samba is 4.3.4
> >>> > >
> >>> > >Guess that ldbmodify is the only choice but I don't know how to use it.
> >>> > >
> >>> > >Can you or someone post an hint?
> >>> > >
> >>> > >
> >> >
> >> >OK, sounds like big hammer time:-D
> >> >
> >> >First have a read here:
> >> >https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
> >> >
> >> >I think the easiest way will be to use ldbedit, first check that there
> >> >isn't a fsmo roleowner:
> >> >
> >> >ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b
> >> >"CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com" -s
> >> >base fsmoroleowner
> >> >
> >> >This should return nothing (perhaps an error message)
> >> >
> >> >now try again with role that does have a role owner:
> >> >
> >> >ldbsearch --cross-ncs -H /usr/local/samba/private/sam.ldb -b
> >> >"CN=Infrastructure,DC=samdom,DC=example,DC=com" -s base fsmoroleowner
> >> >
> >> >That should return something like this:
> >> >
> >> ># record 1
> >> >dn: CN=Infrastructure,DC=samdom,DC=example,DC=com
> >> >fSMORoleOwner: CN=NTDS
> >> >Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
> >> > N=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> >> >
> >> >Now open ldbedit like this:
> >> >
> >> >ldbedit --cross-ncs -e nano -H /usr/local/samba/private/sam.ldb -b
> >> >"CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com"
> >> >
> >> >Add the 'fSMORoleOwner' attribute that you obtained earlier:
> >> >
> >> >fSMORoleOwner: CN=NTDS
> >> >Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,C
> >> > N=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
> >> >
> >> >Close and save nano with 'Ctrl-x'
> >> >
> >> >try 'samba-tool fsmo show'
> >> >
> >> >Hopefully this will now show the fsmo role owner for the domaindns,
> >> >though you may have to do the same for the forestdns fsmorole.
> >> >
> >> >Note: you do this at your own risk and ideally in a test setup.
> >> >
> >> >I would also check that none of your DCs hold the fsmoroles in question.
> >> >
> >> >Rowland
> >> >
> > [root at kdc01:~]# ldbsearch --cross-ncs
> > -H /usr/local/samba/private/sam.ldb -b
> > "CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc" -s base
> > fSMORoleOwner
> > # record 1
> > dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
> >
> > # returned 1 records
> > # 1 entries
> > # 0 referrals
> >
> > Does this mean that I have it already set?
> >
> > If I use
> >
> > ldbedit --cross-ncs -e vim -H /usr/local/samba/private/sam.ldb -b
> > "CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc"
> >
> > # editing 1 records
> > # record 1
> > dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
> > objectClass: top
> > objectClass: infrastructureUpdate
> > cn: Infrastructure
> > instanceType: 4
> > whenCreated: 20120924143109.0Z
> > whenChanged: 20150422114545.0Z
> > uSNCreated: 5263
> > uSNChanged: 5263
> > showInAdvancedViewOnly: TRUE
> > name: Infrastructure
> > objectGUID: 8f2c0c68-c571-4ffd-9413-0bb7384f70d4
> > systemFlags: -1946157056
> > objectCategory:
> > CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saitel,
> > DC=loc
> > isCriticalSystemObject: TRUE
> > distinguishedName: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
> >
> > now, if I add on new line after distingushedName
> >
> > fSMORoleOwner: CN=NTDS
> > Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
> >
> > and save I get
> >
> > failed to modify CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc -
> > SINGLE-VALUE attribute fSMORoleOwner on
> > CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc specified more than
> > once
> >
>
> Hmm, I think you may have an empty 'fSMORoleOwner' attribute, you could
> try this:
>
> create an ldif:
>
> nano /tmp/fsmo.ldif
>
> dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitel,DC=loc
> changetype: modify
> replace: fSMORoleOwner
> fSMORoleOwner: CN=NTDS
> Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
>
> Then:
>
> ldbmodify --cross-ncs -H /usr/local/samba/private/sam.ldb
> /tmp/fsmo.ldif -UAdministrator
>
> Rowland
>
Yep, it worked.
Did the same also for ForestDnsZones and now :-)
[root at kdc01:~]# samba-tool fsmo show
ldb_wrap open of secrets.ldb
SchemaMasterRole owner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitel,DC=loc
Thanks a lot Rowland.
More information about the samba-technical
mailing list