[Samba] problems with sysvol after fsmo transfer

Thorsten Marquardt Marquardt at koehler-bracht.de
Thu Jan 12 12:28:37 UTC 2023 

Am 12.01.23 um 12:25 schrieb Rowland Penny via samba:
>
> On 12/01/2023 10:53, Thorsten Marquardt via samba wrote:
>> Thank you so far. But unfortunately I could not fix the problems. So I
>> decided to start over again at a situation where all the fsmo roles
>> resides on the old controller.
>>
>> Here is a transcript of what I did and the errors reported:
>>
>> The inititial position
>>
>> srv-kb-dc1:~ # samba-tool fsmo show
>> SchemaMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>> InfrastructureMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>> RidAllocationMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>> PdcEmulationMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>> DomainNamingMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>> DomainDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>> ForestDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>>
>> srv-kb-dc1:~ # nslookup -querytype=srv _ldap._tcp.pdc._msdcs.my.local.dom
>> Server:         192.168.1.243
>> Address:        192.168.1.243#53
>>
>> _ldap._tcp.pdc._msdcs.my.local.dom  service = 0 100 389
>> srv-kb-primdc.my.local.dom.
>>
>>
>> Attempt no. 1
>>
>> srv-kb-dc1:~ # samba-tool fsmo transfer --role=all -k yes -Uadministrator
> There is obviously a bit of a misunderstanding going on here. If you use
> '-k yes' (which has been replaced by '--use-kerberos=required') there is
> no point in using '-U', it looks for the logged in users ticket.
> Here, it is 'root' that is logged in and on a DC, 'Administrator' is
> mapped to 'root', so, provided root has run 'kinit Administrator', there
> should be a ticket in /tmp for 'root' that Administrator can use.
>
> Here is the proof of concept:
>
> Log into the DC that you wish to transfer an FSMO role to and show the
> FSMO owners at present (this list is shortened to just one, the one I
> will transfer):
>
> adminuser at rpidc2:~ $ sudo samba-tool fsmo show
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=RPIDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> Kinit as Administrator (note I am using sudo, but it would be the same
> if done by root)
>
> adminuser at rpidc2:~ $ sudo kinit Administrator
> Password for Administrator at SAMDOM.EXAMPLE.COM:
>
> The Administrators ticket:
>
> adminuser at rpidc2:~ $ sudo klist -c /tmp/krb5cc_0
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at SAMDOM.EXAMPLE.COM
>
> Valid starting     Expires            Service principal
> 12/01/23 11:14:21  12/01/23 21:14:21
> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> 	renew until 13/01/23 11:14:13
>
> Now transfer an FSMO role:
>
> adminuser at rpidc2:~ $ sudo samba-tool fsmo transfer --role=domaindns
> --use-kerberos=required
> FSMO transfer of 'domaindns' role successful
>
> Look at who owns the FSMO role now:
>
> adminuser at rpidc2:~ $ sudo samba-tool fsmo show
>
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=RPIDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> I hope this helps you understand how to use kerberos with samba-tool a
> little bit better. You only use '-U' if you are going to use a password.
>
> Rowland

Okay back to the start an I try again. This time role by role. Here I 
don't get timeouts (why do they come up with role=all ?) and I'm not 
prompted for password of DOMAIN\root (what happens when transferring the 
*dns roles):

srv-kb-dc1:~ # klist
Ticket cache: DIR::/run/user/0/krb5cc/tkt
Default principal: administrator at MY.LOCAL.DOM

Valid starting       Expires              Service principal
12.01.2023 12:57:56  12.01.2023 22:57:56 krbtgt/MY.LOCAL.DOM at MY.LOCAL.DOM
         renew until 13.01.2023 12:57:54
srv-kb-dc1:~ # samba-tool fsmo transfer --role=rid -k yes
FSMO transfer of 'rid' role successful
srv-kb-dc1:~ # samba-tool fsmo transfer --role=pdc -k yes
FSMO transfer of 'pdc' role successful
srv-kb-dc1:~ # samba-tool fsmo transfer --role=naming -k yes
FSMO transfer of 'naming' role successful
srv-kb-dc1:~ # samba-tool fsmo transfer --role=infrastructure -k yes
FSMO transfer of 'infrastructure' role successful
srv-kb-dc1:~ # samba-tool fsmo transfer --role=schema -k yes
FSMO transfer of 'schema' role successful
srv-kb-dc1:~ # samba-tool fsmo transfer --role=domaindns -k yes
ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' 
object has no attribute 'drs_utils'
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 
520, in run
     transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 
129, in transfer_dns_role
     except samba.drs_utils.drsException, e:
srv-kb-dc1:~ # samba-tool fsmo transfer --role=domaindns -k yes
This DC already has the 'domaindns' FSMO role
srv-kb-dc1:~ # samba-tool fsmo transfer --role=forestdns -k yes
ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' 
object has no attribute 'drs_utils'
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 
520, in run
     transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 
129, in transfer_dns_role
     except samba.drs_utils.drsException, e:

srv-kb-dc1:~ # samba-tool fsmo transfer --role=forestdns -k yes
This DC already has the 'forestdns' FSMO role
srv-kb-dc1:~ # nslookup -querytype=srv _ldap._tcp.pdc._msdcs.my.local.dom
Server:         192.168.1.243
Address:        192.168.1.243#53

_ldap._tcp.pdc._msdcs.my.local.dom  service = 0 100 389 
srv-kb-primdc.my.local.dom.

Now I get only one host as _ldap._tcp.pdc._msdcs.my.local.dom but it's 
the wrong one. It should be srv-kb-dc1.my.local.dom. instead of 
srv-kb-primdc.my.local.dom.

More information about the samba mailing list