[Samba] Problems removing a SBS 2008 server from a Samba AD DC.

me at tdiehl.org me at tdiehl.org
Mon Aug 27 20:17:42 UTC 2018


Hi,
I have a samba 4.7.9 DC that I am trying to remove a windows SBS dc from.
In doing this I have run across several problems.

For whatever reason when I try to dcpromo the windows DC it fails because
it says it cannot contact the samba4 DC. I have checked replication as per
https://wiki.samba.org/index.php/Verifying_the_Directory_Replication_Statuses
All of the tests pass.

Since we are going to retire the Windows server, I figured I would try just
running "samba-tool domain demote --remove-other-dead-server=PHT1". That gave
me the error described in https://bugzilla.samba.org/show_bug.cgi?id=13484.
So I patched remove_dc.py as called out in the above bug. Once that was done
I now get the following error:
(pht-vdc1 pts8) # samba-tool domain demote --remove-other-dead-server=PHT1
ERROR(ldb): uncaught exception - replmd_delete: Failed to modify object CN=owa (SBS Web Applications),CN=HTTP,CN=Protocols,CN=PHT1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=MYDOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com in delete - Unsupported critical extension 1.3.6.1.4.1.7165.4.3.29
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 730, in run
     remove_dc.remove_dc(samdb, logger, remove_other_dead_server)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/remove_dc.py", line 414, in remove_dc
     remove_dns_account=True)
   File "/usr/local/samba/lib64/python2.7/site-packages/samba/remove_dc.py", line 231, in offline_remove_server
     samdb.delete(server_dn, ["tree_delete:0"])
A transaction is still active in ldb context [0x229d050] on tdb:///usr/local/samba/private/sam.ldb

I tried goggling the above error but I have not found anything useful.

smb.conf is as follows:
global]
     netbios name = VDC1
     realm = MYDOMAIN.COM
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
     workgroup = MYDOMAIN
     server role = active directory domain controller

     # logs split per machine
     log file = /var/log/samba/%m.log
     max log size = 5000
     log level = 2
     deadtime = 5

[netlogon]
     path = /usr/local/samba/var/locks/sysvol/mydomain.com/scripts
     read only = No

[sysvol]
     path = /usr/local/samba/var/locks/sysvol
     read only = No

In addition, I tried running samba-tool dbcheck --cross-ncs --fix
that command generates over 400 errors that it claims it is going to fix but
it does not.

(pht-vdc1 pts9) # samba-tool dbcheck --cross-ncs --fix --yes
Checking 10561 objects
ERROR: description not present on Deleted Objects container CN=Deleted Objects,DC=DomainDnsZones,DC=mydomain,DC=com
Fix Deleted Objects container CN=Deleted Objects,DC=DomainDnsZones,DC=mydomain,DC=com by restoring default attributes? [YES]
Fixed Deleted Objects container 'CN=Deleted Objects,DC=DomainDnsZones,DC=mydomain,DC=com'

ERROR: description not present on Deleted Objects container CN=Deleted Objects,DC=ForestDnsZones,DC=mydomain,DC=com
Fix Deleted Objects container CN=Deleted Objects,DC=ForestDnsZones,DC=mydomain,DC=com by restoring default attributes? [YES]
Fixed Deleted Objects container 'CN=Deleted Objects,DC=ForestDnsZones,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=Windows SBS Link Users,OU=Security Groups,OU=MyBusiness,DC=mydomain,DC=com? [YES]
Fixed attribute 'nTSecurityDescriptor' of 'CN=Windows SBS Link Users,OU=Security Groups,OU=MyBusiness,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=PHTool Calendar,CN=Microsoft Exchange System Objects,DC=mydomain,DC=com? [YES]
Fixed attribute 'nTSecurityDescriptor' of 'CN=PHTool Calendar,CN=Microsoft Exchange System Objects,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com? [YES]
Fixed attribute 'nTSecurityDescriptor' of 'CN=6bcd5683-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'

...

Fix nTSecurityDescriptor on DC=173,DC=1.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com? [YES]
Fixed attribute 'nTSecurityDescriptor' of 'DC=173,DC=1.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=PHTOOL Contacts,CN=Microsoft Exchange System Objects,DC=mydomain,DC=com? [YES]
Fixed attribute 'nTSecurityDescriptor' of 'CN=PHTOOL Contacts,CN=Microsoft Exchange System Objects,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=3e4f4182-ac5d-4378-b760-0eab2de593e2,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com? [YES]
Fixed attribute 'nTSecurityDescriptor' of 'CN=3e4f4182-ac5d-4378-b760-0eab2de593e2,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'

Fix nTSecurityDescriptor on CN=6bcd567c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com? [YES]
Fixed attribute 'nTSecurityDescriptor' of 'CN=6bcd567c-8314-11d6-977b-00c04f613221,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'

NOTE: old (due to rename or delete) DN string component for msSBSComputerUserAccessOverride in object CN=Chris XXXXX,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com - S:2: 5:<GUID=ae9149ab-23ca-4e82-9604-088f9266eb3f>;<SID=S-1-5-21-619667644-1604242038-736796184-3130>;CN=CHRIS-LAPTOP,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=mydomain,DC=com
Change DN to S:2: 5:<GUID=ae9149ab-23ca-4e82-9604-088f9266eb3f>;<SID=S-1-5-21-619667644-1604242038-736796184-3130>;CN=CHRIS-LAPTOP\0ADEL:ae9149ab-23ca-4e82-9604-088f9266eb3f,CN=Deleted Objects,DC=mydomain,DC=com? [YES]
ERROR: Failed to fix old DN string on attribute msSBSComputerUserAccessOverride : (16, "attribute 'msSBSComputerUserAccessOverride': no matching attribute value while deleting attribute on 'CN=Chris XXXXX,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=com'")
(pht-vdc1 pts9) #

Is there a sane way to fix this?

Regards,

-- 
Tom			me at tdiehl.org



More information about the samba mailing list