[Samba] [samba] 4.4.0rc2 demote and --remove-other-dead-server

mathias dufresne infractory at gmail.com
Wed Feb 10 16:35:10 UTC 2016 

Hi all,

We were trying the new --remove-other-dead-server coming with the 4.4.0rc.
The domain is a brand new one with several DC added and two Windows
clients, no user yet.

Here is the smb.conf:
[global]
        workgroup = SAMBA
        realm = SAMBADOMAIN.TLD
        netbios name = DC200
        server role = active directory domain controller

        server services = -dns
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/samba.domain.tld/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

This smb.conf is the same on al DC, modulo "netbios name" of course.

When trying to demote some dead DC, it always ends like that one:

dc200:~# samba-tool domain demote --verbose --remove-other-dead-server=dc201

Removing nTDSConnection: CN=54e7a869-12c4-45e2-91e5-8ef015a3dec2,CN=NTDS
Settings,CN=DC200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
Removing nTDSConnection: CN=26405655-8fcb-4156-ba5a-8e0b7a60e8ab,CN=NTDS
Settings,CN=DC202,CN=Servers,CN=Authentification,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
Removing nTDSConnection: CN=39270189-99f8-4640-b209-f1d421fb6661,CN=NTDS
Settings,CN=DC203,CN=Servers,CN=Authentification,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
Removing nTDSDSA: CN=NTDS
Settings,CN=DC201,CN=Servers,CN=Authentification,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
(and any children)
Removing RID Set: CN=RID Set,CN=DC201,OU=Domain
Controllers,DC=samba,DC=domain,DC=tld
Removing computer account: CN=DC201,OU=Domain
Controllers,DC=samba,DC=domain,DC=tld (and any child objects)
Removing Samba-specific DNS service account:
CN=dns-DC201,CN=Users,DC=samba,DC=domain,DC=tld
checking for DNS records to remove on samba.domain.tld
updating samba.domain.tld keeping 5 values, removing 1 values
checking for DNS records to remove on DomainDnsZones.samba.domain.tld
updating DomainDnsZones.samba.domain.tld keeping 3 values, removing 1 values
checking for DNS records to remove on ForestDnsZones.samba.domain.tld
updating ForestDnsZones.samba.domain.tld keeping 3 values, removing 1 values
checking
DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
updating
DC=_ldap._tcp.Authentification._sites.DomainDnsZones,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 2 values, removing 1 values
updating
DC=_ldap._tcp.Authentification._sites.ForestDnsZones,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 2 values, removing 1 values
updating
DC=_kerberos._tcp.Authentification._sites,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 2 values, removing 1 values
updating
DC=_ldap._tcp.Authentification._sites,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 2 values, removing 1 values
updating
DC=_gc._tcp.Authentification._sites,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 2 values, removing 1 values
updating
DC=_ldap._tcp.DomainDnsZones,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 3 values, removing 1 values
updating
DC=_ldap._tcp.ForestDnsZones,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 3 values, removing 1 values
ERROR(<type 'exceptions.TypeError'>): uncaught exception - __ndr_unpack__()
argument 1 must be string or read-only buffer, not dnsp.DnssrvRpcRecord
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line
720, in run
    remove_dc.remove_dc(samdb, logger, remove_other_dead_server)
  File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 423,
in remove_dc
    remove_dns_account=True)
  File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 351,
in offline_remove_ntds_dc
    remove_dns_account=remove_dns_account)
  File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 266,
in offline_remove_server
    remove_dns_references(samdb, logger, dnsHostName)
  File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 186,
in remove_dns_references
    for v in values if not to_remove(v) ]
  File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 160,
in to_remove
    dnsRecord = ndr_unpack(dnsp.DnssrvRpcRecord, value)
  File "/usr/lib64/python2.7/site-packages/samba/ndr.py", line 45, in
ndr_unpack
    object.__ndr_unpack__(data, allow_remaining=allow_remaining)
A transaction is still active in ldb context [0x17a4800] on
tdb:///var/lib/samba/private/sam.ldb

It seems a function is missing to extract encoded value of DNS record
before to use ndr_unpack() or __ndr_unpack()

Anyway, it smells good. I'm eager to be able to use that as when we tried
to restore Samba AD database all went well... but almost all went wrong
when we had to re-join all others DC. I would be able to re-test
restoration of Samba AD database after we used "samba-tool domain demote
--verbose --remove-other-dead-server=" to clean up database from old
references to DC.

Best regards,

mathias

More information about the samba mailing list