[Samba] LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer

Rowland Penny rpenny at samba.org
Fri Jan 27 20:44:15 UTC 2017 

On Fri, 27 Jan 2017 14:58:46 -0500
Adam Tauno Williams via samba <samba at lists.samba.org> wrote:

> Quoting Adam Tauno Williams via samba <samba at lists.samba.org>:
> > Attempting to move FSMO roles from one SerNET Samba 4.5.4 DC to  
> > another, all roles transfered except the DNS related ones - those  
> > fail with an LDAP_INSUFFICIENT_ACCESS_RIGHTS
> > [root at larkin28 ~]# samba-tool fsmo transfer --role=forestdns
> > ERROR: Failed to delete role 'forestdns': LDAP error 50  
> > LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object  
> > CN=Infrastructure,DC=ForestDnsZones,DC=micore,DC=us has no write  
> > property access
> >> <>
> 
> Provding credentials appears to have worked... although it still
> ends in an error.
> 
> [root at larkin28 ~]# samba-tool fsmo transfer --role=domaindns  
> --username=Administrator --password=************
> ERROR(<type 'exceptions.AttributeError'>): uncaught exception -  
> 'module' object has no attribute 'drs_utils'
>    File
> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs)
>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",  
> line 520, in run
>      transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",  
> line 129, in transfer_dns_role
>      except samba.drs_utils.drsException, e:
> 
> 
> [root at larkin28 ~]# samba-tool fsmo transfer --role=forestdns  
> --username=Administrator --password=***********
> ERROR(<type 'exceptions.AttributeError'>): uncaught exception -  
> 'module' object has no attribute 'drs_utils'
>    File
> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs)
>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",  
> line 520, in run
>      transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
>    File "/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",  
> line 129, in transfer_dns_role
>      except samba.drs_utils.drsException, e:
> 

Transferring the FSMO roles is done very similarly to the way windows
does it, except for the DNS roles which are done by deleting the role
from the old owner, adding it the new owner and then forcing
replication. It seems it is the last part of this that is failing,
this is because it claims it cannot find 'drs_utils.py', this should
be in python{VERSION}/site-packages/samba/
i.e. on my self compiled Samba:
 /usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py

Rowland

More information about the samba mailing list