[Samba] FMSO transfer gone wrong

Arne Zachlod arne at nerdkeller.org
Sun Apr 5 19:04:07 UTC 2020 

On 4/5/20 8:02 PM, Denis CARDON via samba wrote:
> Hi Arne,
> 
> Le 05/04/2020 à 19:47, Arne Zachlod via samba a écrit :
>> On 4/5/20 7:14 PM, Rowland penny via samba wrote:
>>> On 05/04/2020 17:47, Arne Zachlod via samba wrote:
>>>> Hello,
>>>>
>>>> I'm currently in the process of updating our Samba environment from 
>>>> 4.3 to 4.11. Looks like I did something wrong. Some pointers would 
>>>> be much appreciated.
>>>>
>>>> Since I wanted to migrate from Ubuntu to Debian anyway, I decided to 
>>>> not upgrade in place, but instead create new VMs, join them and then 
>>>> remove the old 4.3 ones. Everything went well until I also wanted to 
>>>> transfer FSMO roles to a new VM.
>>>>
>>>> Since 'samba-tool fsmo transfer --role=all' didn't work, I decided 
>>>> to use seize instead. There was no error output other than the 
>>>> expected error that the transfer didn't work and I shut the old FSMO 
>>>> master DC down.
>>>>
>>>> So, now nothing really works as expected: the other DCs didn't get 
>>>> the memo to change to the new FSMO master DC and I cant find any 
>>>> documentation on how to change that by hand.
>>>>
>>>> Also, drs showrepl request take forever to finish on the now 
>>>> disconnected DCs while they just timeout on the FSMO master.
>>>
>>> Hmm, 4.3.x to 4.11.0, are smbd & winbind running, or is just samba 
>>> running ?
>>
>> Samba, winbind and smbd are all running.
>>
>>>
>>> Your new DC could be re-indexing, if so just wait.
>>
>> How can I verify this? The Domain isn't very big, sub 100 PCs and 
>> roughly the same amount of users, so I expect it shouldn't take very 
>> long.
> 
> First you should double check your dns configuration (/etc/resolv.conf 
> and /etc/krb5.conf). If you are using bind-dlz double check that is it 
> really started. In more recent version it does not startup if there is 
> on NS record in every zone (which include reverse zones).

I'm using the samba internal DNS, so no bind. I checked with ss, and 
samba is running on port 53 as well, so it seems thats working correctly.

> 
> For the seize command I think there is a --force option, otherwise it 
> starts with a transfer that may timeout first before really sizing the 
> roles.

the transfer worked, I don't have the output anymore, but the transfer 
timed out and then the seize worked correctrly, but the other DCs don't 
know that the FSMO role went to the other DC, so one question is how I 
can fix that?

> 
> You'll have to do a dbcheck --cross-ncs --fix --yes (after doing backup) 
> to fix everything that has been corrected since 4.3.
> 
> You may check that you don't have leftover from old DCs in sites and 
> services and then force a samba_kcc.
> 
> Cheers,
> 
> Denis
> 

Thank you so much for your suggestions
Arne

More information about the samba mailing list