[Samba] Unable to join DC to domain
IT Admin
it at cliffbells.com
Mon Mar 28 09:00:37 UTC 2016
Sorry, I meant to include the command you sent in my last message, I had
executed it while troubleshooting...
:~$ sudo /usr/local/samba/bin/ldbsearch --cross-ncs -H
/usr/local/samba/private/sam.ldb '(fsmoroleowner=*)' | grep 'dn:' | sed
's|dn: ||'
CN=Schema,CN=Configuration,DC=cb,DC=cliffbells,DC=com
CN=Partitions,CN=Configuration,DC=cb,DC=cliffbells,DC=com
CN=Infrastructure,DC=DomainDnsZones,DC=cb,DC=cliffbells,DC=com
CN=Infrastructure,DC=ForestDnsZones,DC=cb,DC=cliffbells,DC=com
CN=RID Manager$,CN=System,DC=cb,DC=cliffbells,DC=com
DC=cb,DC=cliffbells,DC=com
CN=Infrastructure,DC=cb,DC=cliffbells,DC=com
I have tried to seize role=all --force...
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 339, in run
self.seize_role("rid", samdb, force)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 255, in seize_role
master_owner = get_fsmo_roleowner(samdb, m.dn)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py",
line 42, in get_fsmo_roleowner
master_owner = res[0]["fSMORoleOwner"][0]
I found another thread about the issue:
http://www.spinics.net/lists/samba/msg131164.html
I'm in a bit over my head, any help is greatly appreciated.
JS
On Mar 28, 2016 4:46 AM, "Rowland penny" <rpenny at samba.org> wrote:
> On 28/03/16 09:09, IT Admin wrote:
>
> Alright... appreciate the info. Gave it a shot. Domain is still up but
> shares are down because they were hosted on FILER which has now been
> demoted and is no longer running any samba services.
>
> What I did while following the wiki "Transfer/Seize FSMO Roles":
>
> 1) logged on to FILER, ran samba-tool fsmo show, verified all 7 roles were
> owned by FILER.
>
> 2) logged on to CBADC01, executed samba-tool fsmo transfer --role=all -U
> administrator --realm=cb.cliffbells.com which succeeded.
>
> 3) ran samba-tool fsmo show again on FILER, verified all 7 roles were now
> owned by CBADC01.
>
> 4) ran samba-tool drs showrepl on FILER, replication succeded after
> transferring fsmo roles.
>
> 5) ran samba-tool domain demote -Uadministrator on FILER.
>
> 6) shut down samba on FILER, removed smb.conf, removed initscript
>
> 7) followed guidelines to cleanup any remaining references to FILER, it
> existed in AD Sites and Services, I removed it. I did not delete DNS
> references as FILER is critical in this network and must remain accessible.
>
> 8) rebooted FILER and CBADC01
>
>
> Currently AD is allowing users to login to computers, all shares are dead
> because FILER isn't providing them and I can't set it up as a Domain Member
> to provide the shares again because CBADC01 is missing 3 of 7 fsmoroleowner
> entries. I think I have empty fSMORoleOwner attributes as discussed
> here:
> https://lists.samba.org/archive/samba-technical/2016-January/111516.html
>
>
> Here's where I'm at:
>
> sudo /usr/local/samba/bin/samba-tool fsmo show
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 390, in run
> infrastructureMaster = get_fsmo_roleowner(samdb, infrastructure_dn)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 42, in get_fsmo_roleowner
> master_owner = res[0]["fSMORoleOwner"][0]
>
>
> sudo /usr/local/samba/bin/samba-tool dbcheck --fix --cross-ncs
> Checking 3527 objects
> ERROR: fSMORoleOwner not found for role CN=RID
> Manager$,CN=System,DC=cb,DC=cliffbells,DC=com
> Sieze role CN=RID Manager$,CN=System,DC=cb,DC=cliffbells,DC=com onto
> current DC by adding fSMORoleOwner=CN=NTDS
> Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
> [y/N/all/none] y
> Failed to sieze role CN=RID Manager$,CN=System,DC=cb,DC=cliffbells,DC=com
> onto current DC by adding fSMORoleOwner=CN=NTDS
> Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
> : (20, 'SINGLE-VALUE attribute fSMORoleOwner on CN=RID
> Manager$,CN=System,DC=cb,DC=cliffbells,DC=com specified more than once')
> ERROR: fSMORoleOwner not found for role
> CN=Infrastructure,DC=cb,DC=cliffbells,DC=com
> Sieze role CN=Infrastructure,DC=cb,DC=cliffbells,DC=com onto current DC by
> adding fSMORoleOwner=CN=NTDS
> Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
> [y/N/all/none] y
> Failed to sieze role CN=Infrastructure,DC=cb,DC=cliffbells,DC=com onto
> current DC by adding fSMORoleOwner=CN=NTDS
> Settings,CN=CBADC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
> : (20, 'SINGLE-VALUE attribute fSMORoleOwner on
> CN=Infrastructure,DC=cb,DC=cliffbells,DC=com specified more than once')
> Checked 3527 objects (2 errors)
>
>
> itwerks at cbadc01:~$ sudo /usr/local/samba/bin/samba-tool fsmo seize
> --role=rid --force -U administrator --realm=cb.cliffbells.com
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 353, in run
> self.seize_role(role, samdb, force)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 255, in seize_role
> master_owner = get_fsmo_roleowner(samdb, m.dn)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 42, in get_fsmo_roleowner
> master_owner = res[0]["fSMORoleOwner"][0]
>
> sudo /usr/local/samba/bin/samba-tool fsmo seize --role=infrastructure
> --force -U administrator --realm=cb.cliffbells.com
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 353, in run
> self.seize_role(role, samdb, force)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 255, in seize_role
> master_owner = get_fsmo_roleowner(samdb, m.dn)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 42, in get_fsmo_roleowner
> master_owner = res[0]["fSMORoleOwner"][0]
>
>
> sudo /usr/local/samba/bin/samba-tool fsmo seize --role=domaindns --force
> -U administrator --realm=cb.cliffbells.com
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 351, in run
> versionopts, force)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 301, in seize_dns_role
> master_owner = get_fsmo_roleowner(samdb, m.dn)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 42, in get_fsmo_roleowner
> master_owner = res[0]["fSMORoleOwner"][0]
>
>
> sudo /usr/local/samba/bin/samba-tool fsmo seize --role=forestdns --force
> -U administrator --realm=cb.cliffbells.com
> ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 351, in run
> versionopts, force)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 301, in seize_dns_role
> master_owner = get_fsmo_roleowner(samdb, m.dn)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line
> 42, in get_fsmo_roleowner
> master_owner = res[0]["fSMORoleOwner"][0]
>
>
> I guess I need ldiffs for these, client will be down on a Monday.
>
>
> JS
>
> On Sun, Mar 27, 2016 at 5:02 AM, Rowland penny <rpenny at samba.org> wrote:
>
>> On 27/03/16 07:25, IT Admin wrote:
>>
>>> I ran ldbsearch on my sam.ldb
>>> I searched for CBADC02, CBADC03, and TESTES (all VMs that fail to join
>>> domain), results are below:
>>>
>>>
>>> CBADC02 shows up a few times:
>>>
>>> # record 1906
>>> dn:
>>>
>>> CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu$
>>> objectClass: top
>>> objectClass: server
>>> instanceType: 4
>>> whenCreated: 20160310044543.0Z
>>> uSNCreated: 4215
>>> objectGUID: de85228c-f92b-4d5d-9d6a-01c3f915dec9
>>> systemFlags: 1375731712
>>> dNSHostName: cbadc02.cb.cliffbells.com
>>> cn:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
>>> isDeleted: TRUE
>>> name:: Q0JBREMwMgpERUw6ZGU4NTIyOGMtZjkyYi00ZDVkLTlkNmEtMDFjM2Y5MTVkZWM5
>>> lastKnownParent:
>>> CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
>>> on,DC=cb,DC=cliffbells,DC=com
>>> isRecycled: TRUE
>>> whenChanged: 20160319092438.0Z
>>> uSNChanged: 4261
>>> distinguishedName:
>>> CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Se
>>>
>>> rvers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbell
>>> s,DC=com
>>>
>>>
>>> # record 2372
>>> dn: CN=NTDS
>>>
>>> Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec$
>>> objectClass: top
>>> objectClass: applicationSettings
>>> objectClass: nTDSDSA
>>> instanceType: 4
>>> whenCreated: 20160310044546.0Z
>>> uSNCreated: 4214
>>> objectGUID: a5d3b626-e936-4a65-97bc-cade176d1b10
>>> systemFlags: 33554432
>>> cn::
>>> TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjEw
>>> isDeleted: TRUE
>>> name::
>>> TlREUyBTZXR0aW5ncwpERUw6YTVkM2I2MjYtZTkzNi00YTY1LTk3YmMtY2FkZTE3NmQxYjE
>>> w
>>> isRecycled: TRUE
>>> whenChanged: 20160319092438.0Z
>>> uSNChanged: 4259
>>> distinguishedName: CN=NTDS
>>> Settings\0ADEL:a5d3b626-e936-4a65-97bc-cade176d1b10
>>>
>>> ,CN=CBADC02\0ADEL:de85228c-f92b-4d5d-9d6a-01c3f915dec9,CN=Servers,CN=Default-
>>> First-Site-Name,CN=Sites,CN=Configuration,DC=cb,DC=cliffbells,DC=com
>>>
>>>
>>>
>>> # record 3275
>>> dn: CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=Deleted
>>> Objects,DC=cb,DC=cliffbells,DC=com
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> objectClass: computer
>>> instanceType: 4
>>> whenCreated: 20160321212014.0Z
>>> uSNCreated: 4287
>>> objectGUID: b34ccfd9-0f88-4f7b-8c00-3296ed92507d
>>> userAccountControl: 4128
>>> objectSid: S-1-5-21-2555112579-3841919511-698463993-1602
>>> sAMAccountName: CBADC02$
>>> isDeleted: TRUE
>>> lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
>>> isRecycled: TRUE
>>> cn:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
>>> name:: Q0JBREMwMgpERUw6YjM0Y2NmZDktMGY4OC00ZjdiLThjMDAtMzI5NmVkOTI1MDdk
>>> whenChanged: 20160327050242.0Z
>>> uSNChanged: 4293
>>> distinguishedName:
>>> CN=CBADC02\0ADEL:b34ccfd9-0f88-4f7b-8c00-3296ed92507d,CN=De
>>> leted Objects,DC=cb,DC=cliffbells,DC=com
>>>
>>>
>>>
>>>
>>>
>>> # record 3481
>>> dn: CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=Deleted
>>> Objects,DC=cb,DC=cliffbells,DC=com
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> objectClass: computer
>>> instanceType: 4
>>> whenCreated: 20160310044542.0Z
>>> uSNCreated: 4212
>>> objectGUID: ec36364c-6f01-4c82-be95-8def84528d9a
>>> userAccountControl: 532480
>>> objectSid: S-1-5-21-2555112579-3841919511-698463993-1122
>>> sAMAccountName: CBADC02$
>>> dNSHostName: cbadc02.cb.cliffbells.com
>>> cn:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
>>> whenChanged: 20160318045619.0Z
>>> isDeleted: TRUE
>>> uSNChanged: 4253
>>> name:: Q0JBREMwMgpERUw6ZWMzNjM2NGMtNmYwMS00YzgyLWJlOTUtOGRlZjg0NTI4ZDlh
>>> lastKnownParent: OU=Domain Controllers,DC=cb,DC=cliffbells,DC=com
>>> isRecycled: TRUE
>>> distinguishedName:
>>> CN=CBADC02\0ADEL:ec36364c-6f01-4c82-be95-8def84528d9a,CN=De
>>> leted Objects,DC=cb,DC=cliffbells,DC=com
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> CBADC03 is there once:
>>>
>>>
>>>
>>> # record 3431
>>> dn:
>>>
>>> CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
>>> Obje$
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> objectClass: computer
>>> instanceType: 4
>>> whenCreated: 20160321211933.0Z
>>> uSNCreated: 4286
>>> objectGUID: 0d3362c2-c153-415e-b077-0772a61b96b5
>>> userAccountControl: 4128
>>> objectSid: S-1-5-21-2555112579-3841919511-698463993-1601
>>> sAMAccountName: CBADC03$
>>> isDeleted: TRUE
>>> lastKnownParent: CN=LostAndFound,DC=cb,DC=cliffbells,DC=com
>>> isRecycled: TRUE
>>> cn::
>>> Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDowZ
>>> DMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU=
>>> name::
>>> Q0JBREMwMwpERUw6MGQzMzYyYzItYzE1My00MTVlLWIwNzctMDc3MmE2MWI5NmI1CkRFTDo
>>> wZDMzNjJjMi1jMTUzLTQxNWUtYjA3Ny0wNzcyYTYxYjk2YjU=
>>> whenChanged: 20160327050527.0Z
>>> uSNChanged: 4294
>>> distinguishedName:
>>> CN=CBADC03\0ADEL:0d3362c2-c153-415e-b077-0772a61b96b5\0ADEL
>>> :0d3362c2-c153-415e-b077-0772a61b96b5,CN=Deleted
>>> Objects,DC=cb,DC=cliffbells,
>>> DC=com
>>>
>>>
>>>
>>> TESTES is nowhere to be found and still fails due to ObjectSID. I
>>> don't
>>> understand how that is even possible. I also manually inspected ADUC,
>>> ADSS, ADSIEdit and DNS in RSAT for both of my live DCs (FILER & CBADC01)
>>> and removed all references to CBADC02 & CBADC03. Replication between
>>> FILER
>>> and CBADC01 is successful. RSync replication of sysvol from FILER to
>>> CBADC01 is running via cron.
>>>
>>> I am spun. I've been banging my head against Samba since 12/17/2015.
>>> Please advise, I need to get these VMs joined to the domain so I can
>>> sieze
>>> FSMO roles off of FILER so I don't have to keep restoring this
>>> ^&*(@^#()*&^
>>> database every 36 hours.
>>>
>>>
>>> JS
>>>
>>>
>> OK, so you cannot join another DC and you have to keep restoring every 36
>> hours, doesn't this tell you something ?
>>
>> It looks like the database you keep restoring is badly corrupted, you
>> should also be aware that you shouldn't restore a DC if another DC in the
>> domain is running.
>>
>> Are 'FILER' and 'CBADC01' joined ?
>> If so, is 'FILER' the only database that is giving problems ?
>> If so, then I think your best option is to seize all the fsmo roles to
>> 'CBADC01', turn off 'FILER' and then try to join a new DC to 'CBADC01'
>>
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
> Strange, you cannot seize the role because it already exists, try running
> this:
>
> ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb
> '(fsmoroleowner=*)' | grep 'dn:' | sed 's|dn: ||'
>
> This should show all the DNs that have a 'fSMORoleOwner' attribute.
>
> Have you tried running
> 'samba-tool fsmo seize --force --role=all -UAdministrator
> --password=ADMINISTRATORPASSWORD'
> on the DC
>
> Rowland
>
More information about the samba
mailing list