[Samba] Errors transferring forestdns and domaindns FSMO roles
Rowland Penny
rpenny at samba.org
Tue Dec 12 18:08:00 UTC 2017
On Tue, 12 Dec 2017 11:56:08 -0600
Taylor Hammerling via samba <samba at lists.samba.org> wrote:
> I am attempting to transfer the all FSMO roles from an old DC to our
> new DC. Both DCs are running Samba 4.7.3. I have transferred the
> Schma, Infrastructure, RID, PDC and Naming roles without issue.
>
> unfortunately, the forestdns and domaindns roles are giving me grief.
>
> Here is the output of the commands
>
> root at dc1:~# samba-tool fsmo transfer --role=forestdns
> ldb_wrap open of secrets.ldb
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> resolve_lmhosts: Attempting lmhosts lookup for name
> 7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20>
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> ERROR: Failed to delete role 'forestdns': LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object
> CN=Infrastructure,DC=ForestDnsZones,DC=tcsbasys,DC=com has no write
> property access
> > <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> 111, in transfer_dns_role
> samdb.modify(m)
> root at dc1:~#
>
>
> root at dc1:~# samba-tool fsmo transfer --role=domaindns
> ldb_wrap open of secrets.ldb
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> resolve_lmhosts: Attempting lmhosts lookup for name
> 7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20>
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> ERROR: Failed to delete role 'domaindns': LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object
> CN=Infrastructure,DC=DomainDnsZones,DC=tcsbasys,DC=com has no write
> property access
> > <>
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> 111, in transfer_dns_role
> samdb.modify(m)
> root at dc1:~#
>
>
> as always, any help you can provide would be immensely appreciated!
>
>
>
>
If you run 'samba-tool fsmo transfer --help', you will find this
amongst the output:
--role=ROLE The FSMO role to seize or transfer.
rid=RidAllocationMasterRole schema=SchemaMasterRole
pdc=PdcEmulationMasterRole
naming=DomainNamingMasterRole
infrastructure=InfrastructureMasterRole
domaindns=DomainDnsZonesMasterRole
forestdns=ForestDnsZonesMasterRole all=all of the
above You must provide an Admin user and password.
Does the last line give you a hint ;-)
Rowland
More information about the samba
mailing list