[Samba] remove dead server (samba 4.4.4)

mathias dufresne infractory at gmail.com
Mon Dec 19 16:34:39 UTC 2016 

Plop,

Dumb answer, my favorite.

Several options:
- On DC to remove: you could try to run "samba_dnsupdate" after configuring
correctly your DNS system.
- You could try to add missing entry to DNS and then relaunch the demote
command, perhaps the demote will stop to hang like that. No idea how to do
that 'cause I don't know what DNS record is related to
"DC=_ldap._tcp.TOBIAS._sites.ForestDnsZones,DC=e-trust.com.br
,CN=MicrosoftDNS,DC=DomainDnsZones,DC=e-trust,DC=com,DC=br"
- You could shutdown broken server and add (join) it again. A join implies
necessarily removal before adding it again.

The demote said:
updating DC=_ldap._tcp.TOBIAS._sites.ForestDnsZones,DC=e-trust.com.br
,CN=MicrosoftDNS,DC=DomainDnsZones,DC=e-trust,DC=com,DC=br keeping 0
values, removing 1 values
ERROR(<type 'exceptions.TypeError'>): uncaught exception - __ndr_unpack__()
argument 1 must be string or read-only buffer, not dnsp.DnssrvRpcRecord

I just demote one of my DC using the very same command to check how it
works.
In my own logs I have at least one line more, the line for removed DC's IP.

So I would first verify DNS configuration on the DC to remove then I would
try to "samba_dnsupdate" to create all necessary DNS entries. As you will
have a working DNS configuration, the DNS entries should all added.
As all needed DNS entries were added previously, the demote should not fail
because of missing entry.

For 2nd option, still no idea.

For 3rd option: just rejoin your server, it should clean up the DB before
join and perform a full join, including addition of DNS entries. Then if
you really have to remove that DC, you should be able to.

Hoping this helps... Cheers,

Mathias Dufresne


2016-12-16 18:50 GMT+01:00 Vinicius Bones Silva via samba <
samba at lists.samba.org>:

> Hi,
>
>     I'm trying to remove a DC from a site we have shutdown. The demote
> command is throwing up this message:
>
> [root at aragorn ~]# samba-tool domain demote --remove-other-dead-server=pip
> pin
> Removing nTDSConnection: CN=eca08dbb-1f34-476e-96dd-33ec22b2bc94,CN=NTDS
> Settings,CN=GANDALF,CN=Servers,CN=SAOPAULO,CN=Sites,CN=
> Configuration,DC=e-trust,DC=com,DC=br
> Removing nTDSDSA: CN=NTDS Settings,CN=PIPPIN,CN=Servers,
> CN=TOBIAS,CN=Sites,CN=Configuration,DC=e-trust,DC=com,DC=br (and any
> children)
> Removing RID Set: CN=RID Set,CN=PIPPIN,OU=Domain
> Controllers,DC=e-trust,DC=com,DC=br
> Removing computer account: CN=PIPPIN,OU=Domain
> Controllers,DC=e-trust,DC=com,DC=br (and any child objects)
> Removing Samba-specific DNS service account: CN=dns-pippin,CN=Users,DC=e-tr
> ust,DC=com,DC=br
> updating DomainDnsZones.e-trust.com.br keeping 3 values, removing 1 values
> updating ForestDnsZones.e-trust.com.br keeping 3 values, removing 1 values
> updating e-trust.com.br keeping 8 values, removing 1 values
> updating DC=_ldap._tcp.TOBIAS._sites.DomainDnsZones,DC=e-trust.com.br
> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=e-trust,DC=com,DC=br keeping 0
> values, removing 1 values
> updating DC=_ldap._tcp.TOBIAS._sites.ForestDnsZones,DC=e-trust.com.br
> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=e-trust,DC=com,DC=br keeping 0
> values, removing 1 values
> ERROR(<type 'exceptions.TypeError'>): uncaught exception -
> __ndr_unpack__() argument 1 must be string or read-only buffer, not
> dnsp.DnssrvRpcRecord
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line
> 720, in run
>     remove_dc.remove_dc(samdb, logger, remove_other_dead_server)
>   File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 423,
> in remove_dc
>     remove_dns_account=True)
>   File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 351,
> in offline_remove_ntds_dc
>     remove_dns_account=remove_dns_account)
>   File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 266,
> in offline_remove_server
>     remove_dns_references(samdb, logger, dnsHostName)
>   File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 186,
> in remove_dns_references
>     for v in values if not to_remove(v) ]
>   File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 160,
> in to_remove
>     dnsRecord = ndr_unpack(dnsp.DnssrvRpcRecord, value)
>   File "/usr/lib64/python2.7/site-packages/samba/ndr.py", line 45, in
> ndr_unpack
>     object.__ndr_unpack__(data, allow_remaining=allow_remaining)
> A transaction is still active in ldb context [0x1953490] on
> tdb:///var/lib/samba/private/sam.ldb
>
> The pippin server still shows up in the Domain controllers list and site
> list. Is there anything I can do to complete the removal?
>
> The samba version is 4.4.4:
>
> [root at aragorn ~]# rpm -qa |grep -i samba
> sernet-samba-client-4.4.4-1.el7.x86_64
> sernet-samba-common-4.4.4-1.el7.x86_64
> sernet-samba-libsmbclient0-4.4.4-1.el7.x86_64
> sernet-samba-4.4.4-1.el7.x86_64
> sernet-samba-ad-4.4.4-1.el7.x86_64
> sernet-samba-libs-4.4.4-1.el7.x86_64
> sernet-samba-winbind-4.4.4-1.el7.x86_64
>
> And I'm using named as the DNS backend.
>
> Regards,
> --
>
>
> Vinicius Silva
> SOC
>
>
> BRA: + 55 51 2117.1000 | 55 11 5521.2021
> USA: + 1 888 259.5801
> vbs at e-trust.com.br
> skype: vinicius.bones.silva
>
>
>
>
>
>
>
>
>
>         Smiley face
>
> www.e-trust.com.br <http://www.e-trust.com.br/>
>
>
> Esta mensagem pode conter informações confidenciais ou privilegiadas. Se
> você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar
> ou tomar qualquer atitude com base nestas informações. Solicitamos que você
> apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para
> suporte at e-trust.com.br. Opiniões, conclusões ou informações contidas
> nesta mensagem não necessariamente refletem a posição oficial da E-TRUST.
> Caso assinada digitalmente, a autenticidade desta mensagem pode ser
> confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em
> www.e-trust.com.br.
>
> This message may contain privileged and confidential information for the
> use of the intended recipients only. If you are not an intended recipient
> then you should not disseminate, copy, or take any action based on its
> contents. If you have received this message in error then please notify
> E-TRUST by sending an e-mail message to suporte at e-trust.com.br
> immediately. Views and opinions expressed in this message do not
> necessarily reflect the position of E-TRUST. If this message is digitally
> signed, its authenticity can be confirmed by E-TRUST Private Certificate
> Authority, available at www.e-trust.com.br.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list