[Samba] Failed to transfer all 7 FSMOs

Rowland Penny rowlandpenny241155 at gmail.com
Thu Oct 8 08:14:27 UTC 2015 

On 08/10/15 00:59, TAKAHASHI Motonobu/高橋 基信 wrote:
> Hello,
>
>> On 07/10/15 00:33, TAKAHASHI Motonobu/高橋 基信 wrote:
>>> Hello,
>>>
>>> I tested to transfer all 7 FSMOs from Windows Server 2003 Enterprise
>>> to Samba 4.3.0 DC. (I think some users still use Win2K3 and want to
>>> migrate.) But unfortunately is failed.
>>>
>>> To reproduce,
>>>
>>> (1) Promoto Win2K3R2 Enterprise host to first DC.
>>> (2) Join self-built Samba 4.3.0 to the domain.
>>> (3) Run 'samba-tool fsmo transfer --role=all'
>>>
>>> root at jessie64-1:~# samba-tool fsmo transfer --role=all
>>> FSMO transfer of 'rid' role successful
>>> FSMO transfer of 'pdc' role successful
>>> FSMO transfer of 'naming' role successful
>>> FSMO transfer of 'infrastructure' role successful
>>> FSMO transfer of 'schema' role successful
>>> ERROR: Failed to delete role 'domaindns': LDAP error 50    LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: SecErr: DSID-03151D80, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0> <>
>>>
>>> Any suggestions will be much appreciated.
>> Well, you could run 'samba-tool fsmo transfer --help' and read the last
>> line!
> Hello, do you mean "You must provide an Admin user and password"?
> I tried and still is failed with another error:
>
> root at jessie64-1:~# samba-tool fsmo transfer --role=all -U Administrator%password
> FSMO transfer of 'rid' role successful
> FSMO transfer of 'pdc' role successful
> FSMO transfer of 'naming' role successful
> FSMO transfer of 'infrastructure' role successful
> FSMO transfer of 'schema' role successful
> ERROR: Failed to add role 'domaindns': LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <000020AE: SvcErr: DSID-031524F4, problem 5003 (WILL_NOT_PERFORM), data 0
>> <>
> The first DC is Win2K3R2 host which is newly promoted.
>
> The password is valid. If I tried with wrong password, it is failed
> with another error message:
> Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece> <>

Well, I did think that you would also read the Credentials Options.

But just in case you didn't, here they are:

Credentials Options:
     --simple-bind-dn=DN
                         DN to use for a simple bind
     --password=PASSWORD
                         Password
     -U USERNAME, --username=USERNAME
                         Username
     -W WORKGROUP, --workgroup=WORKGROUP
                         Workgroup
     -N, --no-pass       Don't ask for a password
     -k KERBEROS, --kerberos=KERBEROS
                         Use Kerberos
     --ipaddress=IPADDRESS
                         IP address of server

You use '--username=USERNAME --password=PASSWORD'
They way you are doing it is wrong.

Rowland

More information about the samba mailing list