[Samba] LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer

Adam Tauno Williams awilliam at whitemice.org
Fri Jan 27 19:58:46 UTC 2017 

Quoting Adam Tauno Williams via samba <samba at lists.samba.org>:
> Attempting to move FSMO roles from one SerNET Samba 4.5.4 DC to  
> another, all roles transfered except the DNS related ones - those  
> fail with an LDAP_INSUFFICIENT_ACCESS_RIGHTS
> [root at larkin28 ~]# samba-tool fsmo transfer --role=forestdns
> ERROR: Failed to delete role 'forestdns': LDAP error 50  
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object  
> CN=Infrastructure,DC=ForestDnsZones,DC=micore,DC=us has no write  
> property access
>> <>

Provding credentials appears to have worked... although it still ends  
in an error.

[root at larkin28 ~]# samba-tool fsmo transfer --role=domaindns  
--username=Administrator --password=************
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -  
'module' object has no attribute 'drs_utils'
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",  
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",  
line 520, in run
     transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",  
line 129, in transfer_dns_role
     except samba.drs_utils.drsException, e:


[root at larkin28 ~]# samba-tool fsmo transfer --role=forestdns  
--username=Administrator --password=***********
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -  
'module' object has no attribute 'drs_utils'
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",  
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",  
line 520, in run
     transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",  
line 129, in transfer_dns_role
     except samba.drs_utils.drsException, e:

[root at larkin28 ~]# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
InfrastructureMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
RidAllocationMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
PdcEmulationMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
DomainNamingMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
DomainDnsZonesMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
ForestDnsZonesMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us

Doing the show on other DCs it does appear that they all agree the  
role transfer occurred.

More information about the samba mailing list