[Samba] Issues demoting a samba DC.

Michael Tokarev mjt at tls.msk.ru
Sun Jan 8 15:54:25 UTC 2023 

08.01.2023 18:19, Rowland Penny via samba wrote:
..
>> The problem with this approach is that we don't know what's happening, and thus
>> unable to fix the bugs.
> 
> Most of the time it isn't really a bug, it is trying to do things in a away that works on Windows but do not work on Samba. Windows has the concept of 
> allowing users to join machines to the domain (and presumably demote them), Samba does not do this. Samba only allows machines to be joined to the 
> domain by Administrator and members of Domain Admins (provided the correct privileges are granted).

I don't even know how it works on windows, I always managed stuff from linux.
And I never tried any advanced operations by unprivileged users, always using
an administrative account (member of Domain Admins group).  (Sometimes it is
not sufficient though, I've hit a situation where I had to grant an additional
privilege to this user the other day, something in context of adding a printer).

>> I removed this DC the "use the force" way, from another DC.
>> Turned it off for sure too, - so it wont get contacted by a chance.
>> Especially cleaned up all DNS caches from the old names as well.
>>
>> But now I've a lot of messages on another DC's log.samba (the one
>> which now has FSMO roles):
>>
>> [2023/01/08 17:10:55.689675,  0] ../../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>>    Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
>> ncacn_ip_tcp:192.168.19.6[49153,seal,krb5,target_hostname=4b38bf02-0354-44f7-b1b2-4bc8bd73784a._msdcs.tls.msk.ru,target_principal=GC/svdcp.tls.msk.ru/tls.msk.ru,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.177.8] NT_STATUS_NO_LOGON_SERVERS
>>
>> What is e3514235-4b06-11d1-ab04-00c04fc2dcd2 where it tries to bind to?
> 
> It actually tells you above, it is a UUID, also known as a GUID.
> Samba has bug for this, it seems that when you demote a DC, its dns GUID record gets left behind, see:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=12534

Hmm.  This is actually fun.  In my DNS all the records associated with this
host, together with this very gc._msdcs record, has been removed automatically,
- I just dropped this DC's dns_update_cache file from the common DNS namespace
and regenerated it the usual way. Yes, this record is still in the samba domain
database somewhere - I just deleted it with samba-tool dns delete as stated in
this bug.  But it was not actually used in my case, because it has been in the
deleted DC "dns_update_cache" file only, and this is where my dns configuration
comes from.  So in my case it is just a small cleanup of an old record, which
does not do anything actually.

BTW, what's the way to dump whole DNS zone from a samba DC?

>> 4b38bf02-0354-44f7-b1b2-4bc8bd73784a is the other DC's alias (svdcp vs svdcm):
>>
>> # dnsget 4b38bf02-0354-44f7-b1b2-4bc8bd73784a._msdcs.tls.msk.ru
>> 4b38bf02-0354-44f7-b1b2-4bc8bd73784a._msdcs.tls.msk.ru. CNAME svdcp.tls.msk.ru.
>> svdcp.tls.msk.ru. A 192.168.19.6
>>
>> I haven't found the string e3514235-4b06-11d1-ab04-00c04fc2dcd2 anywhere in
>> /var/lib/samba/ or similar dirs, the only single mention of it is in
>> private/spn_update_list:
> 
> It is in sam.ldb (do not touch anything in sam.ldb.d), but you will probaly have to use ldbsearch with '--cross-ncs' to see it.

any string can be searched in a binary file with plain old grep, it is
easy to use for a quick check.  If it is in sam.ldb[.d]. more appropriate
tools can be used, but `grep -ir foo /var/lib/samba/' does the quick-n-dirty
search. I just used the wrong string, -- cut-n-pasted the different line by
mistake.  I found it later when realized my mistake. And found it as the SPN
for this DC.


>> I'm not sure this is how things are supposed to be... :)
> 
> It isn't, but it may work if you can fix the UUID dns record, if not, we will cross that bridge when we come to it ;-)

FWIW. This bug (samba not removing old GC._msdcs record) should actually not
prevent it from working and being unable to bind to its own uuid). Because
besides the A record of the removed DC, there are A records for all other
DCs in there too. So this is definitely a *set*, not a single A.  So it
should be able to contact other hosts for this just fine.

And nope, after removing this stale A gc._msdcs record from samba DNS, it
still does not work and still logs the same error message, apparenlty when
trying to log in to the other DC for replication:

[2023/01/08 18:50:43.390974,  0] ../../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for 
ncacn_ip_tcp:192.168.19.6[49153,seal,krb5,target_hostname=4b38bf02-0354-44f7-b1b2-4bc8bd73784a._msdcs.tls.msk.ru,target_princi

I'll try to strace it to find out what's going on.

Unfortunately I still don't know what does it *mean*, what exactly it tries
to do when "binding to uuid"?

Thanks,

/mjt

More information about the samba mailing list