Web lists-archives.com

Re: [Samba] Error while transferring fsmo-roles


I faced the same problem, solved it by adding the line
import samba.drs_utils
to the file fsmo.py.

When building samba yourself, from withtin the base directory you can apply this patch file to do it for you:

--- python/samba/netcmd/fsmo.py.old     2016-12-05 08:18:44.000000000 +0000
+++ python/samba/netcmd/fsmo.py 2017-03-11 10:27:31.453884091 +0000
@@ -20,6 +20,7 @@
 import samba
 import samba.getopt as options
 import ldb
+import samba.drs_utils
 from ldb import LdbError
 from samba.dcerpc import drsuapi, misc
 from samba.auth import system_session


On 04.08.2017 21:20, gizmo via samba wrote:
I transfered all fsmo-roles from a DC (4.3.11-SerNet, SLES 11 SP3) to another DC (4.6.6-SerNet, SLES 12 SP2).
I had to try a couple of times because of an error "Failed FSMO transfer: NT_STATUS_IO_TIMEOUT"
But then following error happened:

   samba-tool fsmo transfer --role=all

   This DC already has the 'rid' FSMO role
   This DC already has the 'pdc' FSMO role
   This DC already has the 'naming' FSMO role
   This DC already has the 'infrastructure' FSMO role
   FSMO transfer of 'schema' role successful
   ERROR: Failed to delete role 'domaindns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
   CN=Infrastructure,DC=DomainDnsZones,DC=domain,DC=university,DC=de has no write property access

OK, "LDAP_INSUFFICIENT_ACCESS_RIGHTS", another try with credentials:

   samba-tool fsmo transfer --role=all -Uadministrator

   ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils'
     File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
       return self.run(*args, **kwargs)
     File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 515, in run
       "domaindns", samdb)
     File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 129, in transfer_dns_role
       except samba.drs_utils.drsException, e

Same error occurred with the role "forestdns".
In spite of the errors the roles were transfered.

Can I ignore this error or went something wrong ?
"samba-tool fsmo show" says, the owner of all roles is the new DC.

Also with the following check for all roles everything is ok.
ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b "CN=Infrastructure,DC=domain,DC=university,DC=de" -s base fsmoroleowner

The only thing I saw - there is an DNS-entry "Forward-Lookupzones->domain->_msdcs.domain->pdc->_tcp".
Sounds like an entry for the PDC, and there is still the DC which owned the roles.
Do I have to change this manually ?

In a next step I will demote (and reinstall) the DC which owned the roles, maybe this solves any inconsistencies, in case there are some.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba