[Samba] Magically disappearing errors during FSMO transfer
Rowland Penny
rpenny at samba.org
Thu Oct 5 19:55:52 UTC 2017
On Thu, 5 Oct 2017 14:14:56 -0500 (CDT)
Mike Ray via samba <samba at lists.samba.org> wrote:
> Recently tried transferring roles from Samba 4.3.11 to Samba 4.7.0.
> Ultimately, both dcs agreed that the 4.7.0 dc (dc3) had all the roles
> and replication and the databases were in good shape. However, during
> the process, I got a lot of errors that seemed to magically
> disappear.
>
> Should I be worried?
>
> root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root at dc3:~# samba-tool fsmo s^C
> root at dc3:~# samba-tool fsmo transfer --role all
> FSMO transfer of 'rid' role successful ERROR: Transfer of 'pdc' role
> failed: Failed FSMO transfer: NT_STATUS_IO_TIMEOUT
> root at dc3:~# samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root at dc3:~# samba-tool fsmo transfer --role all This DC already has
> the 'rid' FSMO role This DC already has the 'pdc' FSMO role FSMO
> transfer of 'naming' role successful ERROR: Transfer of
> 'infrastructure' role failed: Failed FSMO transfer:
> NT_STATUS_IO_TIMEOUT root at dc3:~# samba-tool fsmo show SchemaMasterRole
> owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root at dc3:~# samba-tool fsmo transfer --role all This DC already has
> the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC
> already has the 'naming' FSMO role This DC already has the
> 'infrastructure' FSMO role FSMO transfer of 'schema' role successful
> ERROR: Failed to delete role 'domaindns': LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object
> CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com has no write
> property access
> > <>
> root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root at dc3:~# samba-tool fsmo transfer --role all This DC already has
> the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC
> already has the 'naming' FSMO role This DC already has the
> 'infrastructure' FSMO role This DC already has the 'schema' FSMO role
> ERROR: Failed to delete role 'domaindns': LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object
> CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com has no write
> property access
> > <>
> root at dc3:~# samba-tool fsmo transfer --role all -UAdministrator This
> DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO
> role This DC already has the 'naming' FSMO role This DC already has
> the 'infrastructure' FSMO role This DC already has the 'schema' FSMO
> role Password for [Example\Administrator]: ERROR(<type
> 'exceptions.AttributeError'>): uncaught exception - 'module' object
> has no attribute 'drs_utils' File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 515, in
> run "domaindns", samdb) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 129, in
> transfer_dns_role except samba.drs_utils.drsException, e: root at dc3:~#
> samba-tool fsmo transfer --role all -UAdministrator This DC already
> has the 'rid' FSMO role This DC already has the 'pdc' FSMO role This
> DC already has the 'naming' FSMO role This DC already has the
> 'infrastructure' FSMO role This DC already has the 'schema' FSMO role
> Password for [Example\Administrator]: ERROR: Failed to delete role
> 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute
> 'fSMORoleOwner': no matching attribute value while deleting attribute
> on 'CN=Infrastructure,DC=DomainDnsZones ,DC=example,DC=com'> <>
> root at dc3:~# samba-tool fsmo transfer --role all -UAdministrator This
> DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO
> role This DC already has the 'naming' FSMO role This DC already has
> the 'infrastructure' FSMO role This DC already has the 'schema' FSMO
> role Password for [Example\Administrator]: ERROR: Failed to delete
> role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute
> 'fSMORoleOwner': no matching attribute value while deleting attribute
> on 'CN=Infrastructure,DC=DomainDnsZones ,DC=example,DC=com'> <>
> root at dc3:~# samba-tool fsmo transfer --role all -UAdministrator This
> DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO
> role This DC already has the 'naming' FSMO role This DC already has
> the 'infrastructure' FSMO role This DC already has the 'schema' FSMO
> role Password for [Example\Administrator]: ERROR: Failed to delete
> role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute
> 'fSMORoleOwner': no matching attribute value while deleting attribute
> on 'CN=Infrastructure,DC=DomainDnsZones ,DC=example,DC=com'> <>
> root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root at dc3:~# samba-tool fsmo transfer --role domaindns ERROR: Failed
> to delete role 'domaindns': LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object
> CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com has no write
> property access
> > <>
> root at dc3:~# samba-tool fsmo transfer --role domaindns -UAdministrator
> This DC already has the 'domaindns' FSMO role
> root at dc3:~# samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root at dc3:~# samba-tool fsmo transfer --role forestdns ERROR: Failed
> to delete role 'forestdns': LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object
> CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com has no write
> property access
> > <>
> root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator
> Password for [Example\Administrator]: ERROR(<type
> 'exceptions.AttributeError'>): uncaught exception - 'module' object
> has no attribute 'drs_utils' File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 520, in
> run transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> 129, in transfer_dns_role except samba.drs_utils.drsException, e:
> root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator
> Password for [Example\Administrator]: ERROR: Failed to delete role
> 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute
> 'fSMORoleOwner': no matching attribute value while deleting attribute
> on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <>
> root at dc3:~# samba-tool fsmo transfer --role forestdns
> -UAdministrator Password for [Example\Administrator]: ERROR: Failed
> to delete role 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE -
> <attribute 'fSMORoleOwner': no matching attribute value while
> deleting attribute on
> 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <>
> root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator
> Password for [Example\Administrator]: ERROR: Failed to delete role
> 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute
> 'fSMORoleOwner': no matching attribute value while deleting attribute
> on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <>
> root at dc3:~# samba-tool fsmo show SchemaMasterRole owner:
> CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator
> Password for [Example\Administrator]: ERROR: Failed to delete role
> 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute
> 'fSMORoleOwner': no matching attribute value while deleting attribute
> on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <>
> root at dc3:~# samba-tool fsmo transfer --role forestdns
> -UAdministrator This DC already has the 'forestdns' FSMO role
> root at dc3:~#
> samba-tool fsmo show SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>
> Thanks,
>
> Mike Ray
>
The problem is that you need to Authenticate to transfer the domaindns
and forestdns FSMO roles, this means you also need to authenticate if
you transfer 'all' the FSMO roles.
If 'samba-tool fsmo show is now displaying the correct owners and
everything is working correctly, you are probably going to be okay.
I will look into refusing to do anything if 'all' or 'domaindns' or
'forestdns' roles are selected without using authentication.
Rowland
More information about the samba
mailing list