[Samba] messy replication

Adam Weremczuk adamw at matrixscience.com
Wed Jul 17 15:05:30 UTC 2019 

On 16/07/19 15:38, Rowland penny via samba wrote:

>
> You (because of your Samba version) can only demote the DC on the DC 
> itself, so just follow the info at the top of the page. 

Hello again,

I'm trying to follow instructions for demoting: 
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC

I don't think I need to transfer FSMO roles since both controllers own them:

dc1:/# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
SchemaMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk

dc2:/# samba-tool fsmo show
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
SchemaMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk

Demoting attempt fails as below:

root at dc2 /# samba-tool domain demote -UAdministrator
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 
netmask=255.255.252.0
added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 
netmask=255.255.252.0
Using dc1.example.co.uk as partner server for the demotion
Using binding ncacn_ip_tcp:dc1.example.co.uk[,seal]
Mapped to DCERPC endpoint 135
added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 
netmask=255.255.252.0
added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 
netmask=255.255.252.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1.example.co.uk<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No 
such file or directory
Mapped to DCERPC endpoint 1024
added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 
netmask=255.255.252.0
added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 
netmask=255.255.252.0
resolve_lmhosts: Attempting lmhosts lookup for name dc1.example.co.uk<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No 
such file or directory
Password for [EXAMPLE\Administrator]:
Received smb_krb5 packet of length 281
Received smb_krb5 packet of length 181
Deactivating inbound replication
Asking partner server dc1.example.co.uk to synchronize from us
Error while replicating out last local changes from 
'CN=Schema,CN=Configuration,DC=example,DC=co,DC=uk' for demotion, 
re-enabling inbound replication
ERROR(<class 'samba.WERRORError'>): Error while sending a DsReplicaSync 
for partition 'CN=Schema,CN=Configuration,DC=example,DC=co,DC=uk' - (87, 
'WERR_INVALID_PARAM')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 
787, in run
     drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)

It looks like dc2 fails to sync data to dc1 because replication is 
broken but I don't care about any data currently on dc2.

I just need to cut the ties safely i.e. dc1 should remain operational.

Make dc1 aware it's now on its own and obliterate dc2.

What's the best way to "force" demotion in this case?

Thanks,
Adam

More information about the samba mailing list