[Samba] problems with sysvol after fsmo transfer

Markus Dellermann saml at use.startmail.com
Fri Jan 13 09:53:59 UTC 2023 

Hi Thorsten, hi Rowland,
Am Donnerstag, 12. Januar 2023, 15:57:45 CET schrieb Thorsten Marquardt via 
samba:
> Am 12.01.23 um 14:03 schrieb Rowland Penny via samba:
> > On 12/01/2023 12:51, Rowland Penny via samba wrote:
> >> On 12/01/2023 12:28, Thorsten Marquardt via samba wrote:
> >>> srv-kb-dc1:~ # klist
> >>> Ticket cache: DIR::/run/user/0/krb5cc/tkt
> >> 
> >> What OS is this ?
> 
> the old host:
> 
> srv-kb-primdc:~ # cat /etc/os-release
> NAME="openSUSE Leap"
> VERSION="42.3"
> ID=opensuse
> ID_LIKE="suse"
> VERSION_ID="42.3"
> PRETTY_NAME="openSUSE Leap 42.3"
> ANSI_COLOR="0;32"
> CPE_NAME="cpe:/o:opensuse:leap:42.3"
> BUG_REPORT_URL="https://bugs.opensuse.org"
> HOME_URL="https://www.opensuse.org/"
> srv-kb-primdc:~ # uname -a
> Linux srv-kb-primdc 4.4.76-1-default #1 SMP Fri Jul 14 08:48:13 UTC 2017
> (9a2885c) x86_64 x86_64 x86_64 GNU/Linux
> srv-kb-primdc:~ # smbd -V
> Version 4.7.4 # (build from sources years ago)
> 
> 
> and the new one:
> 
> srv-kb-dc1:~ # cat /etc/os-release
> NAME="openSUSE Leap"
> VERSION="15.0"
> ID="opensuse-leap"
> ID_LIKE="suse opensuse"
> VERSION_ID="15.0"
> PRETTY_NAME="openSUSE Leap 15.0"
> ANSI_COLOR="0;32"
> CPE_NAME="cpe:/o:opensuse:leap:15.0"
> BUG_REPORT_URL="https://bugs.opensuse.org"
> HOME_URL="https://www.opensuse.org/"
> srv-kb-dc1:~ # uname -a
> Linux srv-kb-dc1 4.12.14-lp150.12.82-default #1 SMP Tue Nov 12 16:32:38
> UTC 2019 (c939e24) x86_64 x86_64 x86_64 GNU/Linux
> srv-kb-dc1:~ # smbd -V
> Version 4.7.11-git.186.d75219614c3lp150.3.18.2-SUSE-oS15.0-x86_64
> 
> 
> I know these os's are realy outdated and want to lift them up to the
> current versions. But I fear to make to big leaps with samba. That's why
> I set up the new host with the old release. I was afraid that something
> is breaking my domain if I use the latest openSUSE Leap 15.4 (I don't
> know what samba is packed along with it but it's 4.15.x afair) on the
> new host and have both samba versions mixed in the same domain as domain
> controllers.
> 
> >>> Default principal:administrator at MY.LOCAL.DOM
> >>> 
> >>> Valid starting       Expires              Service principal
> >>> 12.01.2023 12:57:56  12.01.2023 22:57:56krbtgt/MY.LOCAL.DOM at MY.LOCAL.DOM
> >>> 
> >>>           renew until 13.01.2023 12:57:54
> >>> 
> >>> srv-kb-dc1:~ # samba-tool fsmo transfer --role=rid -k yes
> >>> FSMO transfer of 'rid' role successful
> >>> srv-kb-dc1:~ # samba-tool fsmo transfer --role=pdc -k yes
> >>> FSMO transfer of 'pdc' role successful
> >>> srv-kb-dc1:~ # samba-tool fsmo transfer --role=naming -k yes
> >>> FSMO transfer of 'naming' role successful
> >>> srv-kb-dc1:~ # samba-tool fsmo transfer --role=infrastructure -k yes
> >>> FSMO transfer of 'infrastructure' role successful
> >>> srv-kb-dc1:~ # samba-tool fsmo transfer --role=schema -k yes
> >>> FSMO transfer of 'schema' role successful
> >>> srv-kb-dc1:~ # samba-tool fsmo transfer --role=domaindns -k yes
> >>> ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
> >>> 'module' object has no attribute 'drs_utils'
> >> 
> >> That is something different, you appear to be missing a python module
> >> and I haven't seen that for a few years, what version of Samba is this?
> >> 
> >>>     File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> > 
> > And then after my last post I noticed something I missed before.
> > Whatever version of Samba is in use, it is that old it is still using
> > python 2
> > 
> > Okay, find a file called 'fsmo.py' and open it in your favourite editor.
> > Scroll down to the line 'from samba.auth import system_session', beneath
> > that line, add a new line:
> > 
> > import samba.drs_utils
> > 
> > Close and save the file.
> > 
> > Your error should now go away.
> > 
> > Rowland
> 
> Things work very much better now. Transfering the roles step by step (
> --role=[rid|pdc|infrastructure|schema|naming|domaindns|forestdns] )
> works fine. I didn't try to use --role=all --- gebranntes Kind scheut's
> Feuer - as we say in german ;-).
> 
> And finally I got it (hopefully). I stopped the firewall on the new host
> and my problems seem to vanish....
> I will stop samba on the old host tomorrow and see whether problems pop
> up. If not, I'll demote the old host and upgrade the new one step by
> step. Or are there objections?
> 
> Thank you very much for all your efforts.

Just one hint from me:
openSUSE-samba-Packages are normally mit-kerberos based.
For DCs it could be better to use the heimdal-based

There are some convenient repos on openSUSE-Build-Server..

Markus

More information about the samba mailing list