FSMO fails to transfer

Pavel Herrmann morpheus.ibis at gmail.com
Mon Sep 23 02:08:28 CEST 2013 

Hello Marc

On Sunday 22 of September 2013 19:12:51 Marc Muehlfeld wrote:
> Hello Pavel,
> 
> Am 22.09.2013 16:51, schrieb Pavel Herrmann:
> > Is this expected? wiki page says FSMO transfer is somewhat broken, but the
> > linked bug seems to be fixed in 4.0.9
> > Is this possibly caused by the alpha build in the original DC? would
> > upgrading it first help?
> 
> I don't have an answer to your question. But maybe the following
> information will help you a bit.
> 
> 
> The patch from Bug 4961 is *not* included in an official version yet!

OK, now i see - there are 2 patches in the bug, one of them is already applied 
in 4.0.9 (id 8484), the other one fixes a false error in seize when transfer 
worked (id 8874)

> I tried to seize the roles on my test environment. Both DC run 4.0.9. It
> says the role transfer was successfull, but all transfers show an error:

OK, i have upgraded my alpha17 DC to 4.0.9, ran dbcheck (found a ton of GUID 
and nTSecurityDescriptor related errors), and tried again. the results are:

# samba-tool fsmo transfer --role=all
ERROR: Failed to initiate transfer of 'rid' role: Failed FSMO transfer: 
WERR_BADFILE

# samba-tool fsmo seize --role=all
Attempting transfer...
Transfer unsuccessful, seizing...
FSMO transfer of 'rid' role successful
Attempting transfer...
Transfer unsuccessful, seizing...
FSMO transfer of 'pdc' role successful
Attempting transfer...
ERROR(ldb): uncaught exception - Failed FSMO transfer: WERR_BADFILE
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 156, in 
run
    self.seize_role("naming", samdb, force)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 126, in 
seize_role
    transfer_role(self.outf, role, samdb)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 53, in 
transfer_role
    samdb.modify(m)

# samba-tool fsmo seize --role=schema
Attempting transfer...
Transfer unsuccessful, seizing...
FSMO transfer of 'schema' role successful

# samba-tool fsmo seize --role=naming -d 10
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb: ldb_trace_request: SEARCH
 dn: @MODULES
 scope: base
 expr: (@LIST=*)
 attr: @LIST
 control: <NONE>

ldb: ldb_trace_request: (tdb)->search
ldb: Added timed event "ltdb_callback": 0x23c1b00

ldb: Added timed event "ltdb_timeout": 0x23c1bc0

ldb: Running timer event 0x23c1b00 "ltdb_callback"

ldb: ldb_trace_response: ENTRY
dn: @MODULES
@LIST: samba_secrets



ldb: Destroying timer event 0x23c1bc0 "ltdb_timeout"

ldb: Ending timer event 0x23c1b00 "ltdb_callback"

ldb: ldb_trace_request: REGISTER_CONTROL
1.2.840.113556.1.4.1413
 control: <NONE>

ldb: ldb_asprintf/set_errstring: unable to find module or backend to handle 
operation: request
ldb: ldb_trace_request: SEARCH
 dn: <rootDSE>
 scope: base
 expr: (objectClass=*)
 attr: rootDomainNamingContext
 attr: configurationNamingContext
 attr: schemaNamingContext
 attr: defaultNamingContext
 control: <NONE>

ldb: ldb_trace_request: (rdn_name)->search
ldb: ldb_trace_next_request: (tdb)->search
ldb: Added timed event "ltdb_callback": 0x23c3190

ldb: Added timed event "ltdb_timeout": 0x23a4c00

ldb: Running timer event 0x23c3190 "ltdb_callback"

ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search
ldb: Destroying timer event 0x23a4c00 "ltdb_timeout"

ldb: Ending timer event 0x23c3190 "ltdb_callback"

ldb_wrap open of secrets.ldb
ldb: ldb_trace_request: SEARCH
 dn: cn=Primary Domains
 scope: sub
 expr: (&(flatname=DOMAIN)(objectclass=primaryDomain))
 attr: <ALL>
 control: <NONE>

ldb: ldb_trace_request: (rdn_name)->search
ldb: ldb_trace_next_request: (tdb)->search
ldb: Added timed event "ltdb_callback": 0x23c3b10

ldb: Added timed event "ltdb_timeout": 0x23c3bd0

ldb: Running timer event 0x23c3b10 "ltdb_callback"

ldb: ldb_trace_response: ENTRY
dn: flatname=DOMAIN,cn=Primary Domains
msDS-KeyVersionNumber: 1
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
objectSid: S-<some SID>
privateKeytab: secrets.keytab
realm: cag.cz
saltPrincipal: host/dc1.domain.dom at DOMAIN.DOM
samAccountName: DC1$
secret: <password maybe>
secureChannelType: 6
servicePrincipalName: HOST/dc1
servicePrincipalName: HOST/dc1.domain.dom
objectGUID: <some GUID>
whenCreated: 20130922232156.0Z
whenChanged: 20130922232156.0Z
uSNCreated: 7
uSNChanged: 7
name: DOMAIN
flatname: DOMAIN
distinguishedName: flatname=DOMAIN,cn=Primary Domains



ldb: Destroying timer event 0x23c3bd0 "ltdb_timeout"

ldb: Ending timer event 0x23c3b10 "ltdb_callback"

Security token SIDs (1):
  SID[  0]: S-1-5-18
 Privileges (0xFFFFFFFFFFFFFFFF):
  Privilege[  0]: SeMachineAccountPrivilege
  Privilege[  1]: SeTakeOwnershipPrivilege
  Privilege[  2]: SeBackupPrivilege
  Privilege[  3]: SeRestorePrivilege
  Privilege[  4]: SeRemoteShutdownPrivilege
  Privilege[  5]: SePrintOperatorPrivilege
  Privilege[  6]: SeAddUsersPrivilege
  Privilege[  7]: SeDiskOperatorPrivilege
  Privilege[  8]: SeSecurityPrivilege
  Privilege[  9]: SeSystemtimePrivilege
  Privilege[ 10]: SeShutdownPrivilege
  Privilege[ 11]: SeDebugPrivilege
  Privilege[ 12]: SeSystemEnvironmentPrivilege
  Privilege[ 13]: SeSystemProfilePrivilege
  Privilege[ 14]: SeProfileSingleProcessPrivilege
  Privilege[ 15]: SeIncreaseBasePriorityPrivilege
  Privilege[ 16]: SeLoadDriverPrivilege
  Privilege[ 17]: SeCreatePagefilePrivilege
  Privilege[ 18]: SeIncreaseQuotaPrivilege
  Privilege[ 19]: SeChangeNotifyPrivilege
  Privilege[ 20]: SeUndockPrivilege
  Privilege[ 21]: SeManageVolumePrivilege
  Privilege[ 22]: SeImpersonatePrivilege
  Privilege[ 23]: SeCreateGlobalPrivilege
  Privilege[ 24]: SeEnableDelegationPrivilege
 Rights (0x               0):
lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[yes] updates allowed[no]
Attempting transfer...
imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.1938.677995432
ERROR(ldb): uncaught exception - Failed FSMO transfer: WERR_BADFILE
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 160, in 
run
    self.seize_role(role, samdb, force)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 126, in 
seize_role
    transfer_role(self.outf, role, samdb)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 53, in 
transfer_role
    samdb.modify(m)


> But a question from me, too: What does the message
> 
>  > FSMO seize was not required, as transfer of '...' role
>  > was successful"
> 
> mean? First the transfer was started and a "successfull" message is
> shown. Then it says, that FSMO seize is not required. But this was what
> I did, by the command I've started. What does this mean?

well, FSMOs should not be seized, if in any way possible (its there for cases 
where the origin DC has been destroyed/erased). so the tool tries to do 
transfer (when the origin DC is willingly giving up the role) first, but if the 
transfer works the seize function misinterprets it as a failure.

regards
Pavel Herrmann

More information about the samba-technical mailing list