[Samba] LDAP error 53 LDAP_UNWILLING_TO_PERFORM

Epsilon Minus theepsilonminus at gmail.com
Tue Jan 21 23:31:11 UTC 2025


Hi everyone!

I hope this message finds you well. I am reaching out to seek
assistance regarding an issue I am experiencing while transferring
domain roles in my Samba setup.

In a previous email thread that I no longer have access to, I
encountered a similar problem, which I would like to reference: Samba
Mailing List Archive.

Currently, I am attempting to transfer the 'forestdns' role using the
following command:


root at dc02:~# samba-tool fsmo transfer --role=forestdns -UAdministrator

However, I am receiving the following error:

ERROR: Failed to add role 'forestdns': LDAP error 53
LDAP_UNWILLING_TO_PERFORM -  <000020AE: SvcErr: DSID-031535B9, problem
5003 (WILL_NOT_PERFORM), data 0

I have inherited an old Active Directory server running Windows Server
2012, which I am in the process of migrating to Samba. The domain I am
working with ends in .local, which I understand does not comply with
RFC standards for domain names.

I suspect that the error I am encountering may be related to the
domain name. I have thoroughly checked the server configuration and
have not found any other reasons for this issue.

Do you believe that the problem could be associated with the domain
name? Is there a possibility that Samba has introduced new validations
that were not present in previous versions?

For your reference, here are some details about my setup:


root at dc02:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04.1 LTS
Release:        24.04
Codename:       noble

root at dc02:~# smbd --version
Version 4.19.5-Ubuntu

root at dc02:~# cat /etc/samba/smb.conf
# Global parameters
[global]
        netbios name = DC02
        realm = Example.LOCAL
        server role = active directory domain controller
        workgroup = Example
        dns forwarder = 1.1.1.3
        idmap_ldb:use rfc2307  = no

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/example.local/scripts
        read only = No


If the domain name is indeed the issue, what options do you recommend
for changing the domain name? I hope the problem is not related to the
domain itself and that I might be overlooking something else.

I appreciate any insights or guidance you can provide regarding this
matter. Thank you for your time and assistance.

Best regards,



More information about the samba mailing list