redundant DNS setup with bind_dlz possible ?

Daniele Dario d.dario76 at gmail.com
Fri Apr 13 06:22:05 MDT 2012 

Hi Andreas,

On Fri, 2012-04-13 at 14:07 +0200, Daniele Dario wrote:
> Hi Andreas,
> 
> On Fri, 2012-04-13 at 12:34 +0200, Andreas Oster wrote:
> > Am 13.04.2012 08:58, schrieb Daniele Dario:
> > > Hi Andreas and Amitay,
> > > 
> > > On Fri, 2012-04-13 at 08:09 +0200, Andreas Oster wrote:
> > >> Am 13.04.2012 03:08, schrieb Amitay Isaacs:
> > >>> On Fri, Apr 13, 2012 at 3:43 AM, Andreas Oster <aoster at novanetwork.de> wrote:
> > >>>>
> ...
> > > 
> > Hello Daniele,
> > 
> > as you might have seen in my last post I have run into the same demoting
> > issue. Did you manage to demote your server in the meanwhile ?
> > 
> > best regards
> > 
> > Andreas
> > 
> 
> I made a little change in
> samba/lib//python2.7/site-packages/samba/netcmd/domain.py to show how
> many rules are locking the demote operation (and which ones). My python
> knowledge is not so deep but changes are on line 250 like:
>         if len(res) != 0:
> -            raise CommandError("Current DC is still the owner of %d
> role(s), use the role command to transfer roles to another DC"
> +           for foundRole in res:
>                 print foundRole.dn
>             raise CommandError("Current DC is still the owner of %d
> role(s), use the role command to transfer roles to another DC" %
> len(res))
> 
> And it seems that secondary DC is owner of the DNS zones replication
> 
> [root at kdc02:~/samba4/samba-master]# samba-tool domain demote -U
> administrator
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=local
> CN=Infrastructure,DC=ForestDnsZones,DC=saitelitalia,DC=local
> ERROR: Current DC is still the owner of 2 role(s), use the role command
> to transfer roles to another DC
> 
> If instead of print foundRole.dn you use just foundRole it shows a very
> long message where you can find more things like
> 
> 'fSMORoleOwner': MessageElement(['CN=NTDS
> Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local'])
> 
> At this point I think there is something wrong because samba-tool fsmo
> show doesn't show at all these two roles.
> 
> Maybe we can just try to delete them using ldbdel ...?
> 
> Daniele.
> 

jast a step forward:
in my case, ldbsearch tells me something strange.

[root at kdc01:~]# ldbsearch -H /usr/local/samba/private/sam.ldb -b
"DC=DomainDnsZones,DC=saitelitalia,DC=local" "(name=Infrastructure)"
...
# record 1
dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=local
objectClass: top
objectClass: infrastructureUpdate
cn: Infrastructure
instanceType: 4
whenCreated: 20111222201013.0Z
uSNCreated: 3624
showInAdvancedViewOnly: TRUE
name: Infrastructure
objectGUID: a81bd71a-fa5e-4eec-87a5-c05bba4e332f
systemFlags: -1946157056
objectCategory:
CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saiteli
 talia,DC=local
isCriticalSystemObject: TRUE
fSMORoleOwner: CN=NTDS
Settings,CN=KDC01,CN=Servers,CN=Default-First-Site-Name
 ,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
whenChanged: 20111222201017.0Z
uSNChanged: 3633
distinguishedName:
CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=loca
 l

# returned 1 records
# 1 entries
# 0 referrals

[root at kdc02:~/samba4/samba-master]# ldbsearch
-H /usr/local/samba/private/sam.ldb -b
"DC=DomainDnsZones,DC=saitelitalia,DC=local" "(name=Infrastructure)"
...
# record 1
dn: CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=local
objectClass: top
objectClass: infrastructureUpdate
cn: Infrastructure
instanceType: 4
whenCreated: 20120412142746.0Z
uSNCreated: 3700
showInAdvancedViewOnly: TRUE
name: Infrastructure
objectGUID: ee2a9817-32b3-410c-ac27-f97e71274a85
systemFlags: -1946157056
objectCategory:
CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=saiteli
 talia,DC=local
isCriticalSystemObject: TRUE
fSMORoleOwner: CN=NTDS
Settings,CN=KDC02,CN=Servers,CN=Default-First-Site-Name
 ,CN=Sites,CN=Configuration,DC=saitelitalia,DC=local
whenChanged: 20120412142749.0Z
uSNChanged: 3709
distinguishedName:
CN=Infrastructure,DC=DomainDnsZones,DC=saitelitalia,DC=loca
 l

# returned 1 records
# 1 entries
# 0 referrals

As you can see both the DCs are saying that they are owners of the role.

I'll try to delete entries and see what happens :-P

Daniele

More information about the samba-technical mailing list