[Samba] problems with sysvol after fsmo transfer
Rowland Penny
rpenny at samba.org
Thu Jan 12 11:25:55 UTC 2023
On 12/01/2023 10:53, Thorsten Marquardt via samba wrote:
> Thank you so far. But unfortunately I could not fix the problems. So I
> decided to start over again at a situation where all the fsmo roles
> resides on the old controller.
>
> Here is a transcript of what I did and the errors reported:
>
> The inititial position
>
> srv-kb-dc1:~ # samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>
> srv-kb-dc1:~ # nslookup -querytype=srv _ldap._tcp.pdc._msdcs.my.local.dom
> Server: 192.168.1.243
> Address: 192.168.1.243#53
>
> _ldap._tcp.pdc._msdcs.my.local.dom service = 0 100 389
> srv-kb-primdc.my.local.dom.
>
>
> Attempt no. 1
>
> srv-kb-dc1:~ # samba-tool fsmo transfer --role=all -k yes -Uadministrator
There is obviously a bit of a misunderstanding going on here. If you use
'-k yes' (which has been replaced by '--use-kerberos=required') there is
no point in using '-U', it looks for the logged in users ticket.
Here, it is 'root' that is logged in and on a DC, 'Administrator' is
mapped to 'root', so, provided root has run 'kinit Administrator', there
should be a ticket in /tmp for 'root' that Administrator can use.
Here is the proof of concept:
Log into the DC that you wish to transfer an FSMO role to and show the
FSMO owners at present (this list is shortened to just one, the one I
will transfer):
adminuser at rpidc2:~ $ sudo samba-tool fsmo show
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=RPIDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
Kinit as Administrator (note I am using sudo, but it would be the same
if done by root)
adminuser at rpidc2:~ $ sudo kinit Administrator
Password for Administrator at SAMDOM.EXAMPLE.COM:
The Administrators ticket:
adminuser at rpidc2:~ $ sudo klist -c /tmp/krb5cc_0
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at SAMDOM.EXAMPLE.COM
Valid starting Expires Service principal
12/01/23 11:14:21 12/01/23 21:14:21
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
renew until 13/01/23 11:14:13
Now transfer an FSMO role:
adminuser at rpidc2:~ $ sudo samba-tool fsmo transfer --role=domaindns
--use-kerberos=required
FSMO transfer of 'domaindns' role successful
Look at who owns the FSMO role now:
adminuser at rpidc2:~ $ sudo samba-tool fsmo show
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=RPIDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
I hope this helps you understand how to use kerberos with samba-tool a
little bit better. You only use '-U' if you are going to use a password.
Rowland
More information about the samba
mailing list