[Samba] [samba] Samba 4.1.6 vs Win2008R2 FSMO roles

Taylor, Jonn jonnt at taylortelephone.com
Thu Aug 14 07:42:58 MDT 2014 

On 08/14/2014 07:32 AM, Laszlo Levente wrote:
> Hi,
>
> we're using Zentyal 3.4/Samba 4.1.6 on two machine for our AD domain.
>
> We have to test the domain in "pure" microsoft environment, because a third
> party storage system.
> So I added DC and DNS role to one of our windows 2008R2, and joined it to
> our domain. Everything's fine at this point.
>
> Then I wanted transfer the 5 FSMO role to windows. Every role transferred
> successfully, except schema master... ntdsutil said:  Insufficient access
> rights (my account was in Domain Admins, Schema admins, Enterprise admins)
>
> OK, so I tried to seize the schema master role, after I shut down the two
> Zentyal DCs.
> Same result (insufficient rights) :(.
> Then we had to restore win2008R2 from disk image, and turn on Zentyals
> again.
>
> Then I realized that 4 transferred roles had not gone back to Samba. I
> transferred 3 of them back, but I can't the naming role.
>
> # samba-tool fsmo seize --role=naming
> ldb_wrap open of secrets.ldb
> Attempting transfer...
> ERROR(ldb): uncaught exception - Failed FSMO transfer: WERR_PORT_UNREACHABLE
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 160,
> in run
>     self.seize_role(role, samdb, force)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 126,
> in seize_role
>     transfer_role(self.outf, role, samdb)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 53, in
> transfer_role
>     samdb.modify(m)
> # samba-tool fsmo show
> ldb_wrap open of secrets.ldb
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=zentyal,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=zentyal,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=zentyal,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=win2008R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=zentyal,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=lan
>
>
> I was searching in bugzilla and lists archive, but couldn't find any
> relevant info.
>
> Ran someone into same problem?
>
>
> Thanks for your help,
> Levente Laszlo
Restore one of your dc's from a backup. Also you can not remove a dc
from a samba domain, samba is broke for that. If you force remove it you
will have left over meta data that will be stuck and you will most
likely have a corrupt database. Most of the MS tools do not work either.

I would see if one of the project dev's steps in but this has been my
experience with samba ad and more than 1 dc. Samba has always been a
great smb/cifs file server.

Jonn

More information about the samba mailing list