[Samba] problems with sysvol after fsmo transfer

Rowland Penny rpenny at samba.org
Thu Jan 12 11:25:55 UTC 2023



On 12/01/2023 10:53, Thorsten Marquardt via samba wrote:
> Thank you so far. But unfortunately I could not fix the problems. So I 
> decided to start over again at a situation where all the fsmo roles 
> resides on the old controller.
> 
> Here is a transcript of what I did and the errors reported:
> 
> The inititial position
> 
> srv-kb-dc1:~ # samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS 
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> InfrastructureMasterRole owner: CN=NTDS 
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> RidAllocationMasterRole owner: CN=NTDS 
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> PdcEmulationMasterRole owner: CN=NTDS 
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> DomainNamingMasterRole owner: CN=NTDS 
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> DomainDnsZonesMasterRole owner: CN=NTDS 
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> ForestDnsZonesMasterRole owner: CN=NTDS 
> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
> 
> srv-kb-dc1:~ # nslookup -querytype=srv _ldap._tcp.pdc._msdcs.my.local.dom
> Server:         192.168.1.243
> Address:        192.168.1.243#53
> 
> _ldap._tcp.pdc._msdcs.my.local.dom  service = 0 100 389 
> srv-kb-primdc.my.local.dom.
> 
> 
> Attempt no. 1
> 
> srv-kb-dc1:~ # samba-tool fsmo transfer --role=all -k yes -Uadministrator

There is obviously a bit of a misunderstanding going on here. If you use 
'-k yes' (which has been replaced by '--use-kerberos=required') there is 
no point in using '-U', it looks for the logged in users ticket.
Here, it is 'root' that is logged in and on a DC, 'Administrator' is 
mapped to 'root', so, provided root has run 'kinit Administrator', there 
should be a ticket in /tmp for 'root' that Administrator can use.

Here is the proof of concept:

Log into the DC that you wish to transfer an FSMO role to and show the 
FSMO owners at present (this list is shortened to just one, the one I 
will transfer):

adminuser at rpidc2:~ $ sudo samba-tool fsmo show
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=RPIDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

Kinit as Administrator (note I am using sudo, but it would be the same 
if done by root)

adminuser at rpidc2:~ $ sudo kinit Administrator
Password for Administrator at SAMDOM.EXAMPLE.COM:

The Administrators ticket:

adminuser at rpidc2:~ $ sudo klist -c /tmp/krb5cc_0
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
12/01/23 11:14:21  12/01/23 21:14:21 
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
	renew until 13/01/23 11:14:13

Now transfer an FSMO role:

adminuser at rpidc2:~ $ sudo samba-tool fsmo transfer --role=domaindns 
--use-kerberos=required
FSMO transfer of 'domaindns' role successful

Look at who owns the FSMO role now:

adminuser at rpidc2:~ $ sudo samba-tool fsmo show

DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=RPIDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com

I hope this helps you understand how to use kerberos with samba-tool a 
little bit better. You only use '-U' if you are going to use a password.

Rowland



More information about the samba mailing list