Web lists-archives.com

Re: [Samba] Magically disappearing errors during FSMO transfer




On Thu, 5 Oct 2017 14:14:56 -0500 (CDT)
Mike Ray via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Recently tried transferring roles from Samba 4.3.11 to Samba 4.7.0.
> Ultimately, both dcs agreed that the 4.7.0 dc (dc3) had all the roles
> and replication and the databases were in good shape. However, during
> the process, I got a lot of errors that seemed to magically
> disappear. 
> 
> Should I be worried?
> 
> root@dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root@dc3:~# samba-tool fsmo s^C
> root@dc3:~# samba-tool fsmo transfer --role all
> FSMO transfer of 'rid' role successful ERROR: Transfer of 'pdc' role
> failed: Failed FSMO transfer: NT_STATUS_IO_TIMEOUT
> root@dc3:~# samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root@dc3:~# samba-tool fsmo transfer --role all This DC already has
> the 'rid' FSMO role This DC already has the 'pdc' FSMO role FSMO
> transfer of 'naming' role successful ERROR: Transfer of
> 'infrastructure' role failed: Failed FSMO transfer:
> NT_STATUS_IO_TIMEOUT root@dc3:~# samba-tool fsmo show SchemaMasterRole
> owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root@dc3:~# samba-tool fsmo transfer --role all This DC already has
> the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC
> already has the 'naming' FSMO role This DC already has the
> 'infrastructure' FSMO role FSMO transfer of 'schema' role successful
> ERROR: Failed to delete role 'domaindns': LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
> CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com has no write
> property access
> > <>
> root@dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root@dc3:~# samba-tool fsmo transfer --role all This DC already has
> the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC
> already has the 'naming' FSMO role This DC already has the
> 'infrastructure' FSMO role This DC already has the 'schema' FSMO role
> ERROR: Failed to delete role 'domaindns': LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
> CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com has no write
> property access
> > <>
> root@dc3:~# samba-tool fsmo transfer --role all -UAdministrator This
> DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO
> role This DC already has the 'naming' FSMO role This DC already has
> the 'infrastructure' FSMO role This DC already has the 'schema' FSMO
> role Password for [Example\Administrator]: ERROR(<type
> 'exceptions.AttributeError'>): uncaught exception - 'module' object
> has no attribute 'drs_utils' File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 515, in
> run "domaindns", samdb) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 129, in
> transfer_dns_role except samba.drs_utils.drsException, e: root@dc3:~#
> samba-tool fsmo transfer --role all -UAdministrator This DC already
> has the 'rid' FSMO role This DC already has the 'pdc' FSMO role This
> DC already has the 'naming' FSMO role This DC already has the
> 'infrastructure' FSMO role This DC already has the 'schema' FSMO role
> Password for [Example\Administrator]: ERROR: Failed to delete role
> 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE -  <attribute
> 'fSMORoleOwner': no matching attribute value while deleting attribute
> on 'CN=Infrastructure,DC=DomainDnsZones ,DC=example,DC=com'> <>
> root@dc3:~# samba-tool fsmo transfer --role all -UAdministrator This
> DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO
> role This DC already has the 'naming' FSMO role This DC already has
> the 'infrastructure' FSMO role This DC already has the 'schema' FSMO
> role Password for [Example\Administrator]: ERROR: Failed to delete
> role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute
> 'fSMORoleOwner': no matching attribute value while deleting attribute
> on 'CN=Infrastructure,DC=DomainDnsZones ,DC=example,DC=com'> <>
> root@dc3:~# samba-tool fsmo transfer --role all -UAdministrator This
> DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO
> role This DC already has the 'naming' FSMO role This DC already has
> the 'infrastructure' FSMO role This DC already has the 'schema' FSMO
> role Password for [Example\Administrator]: ERROR: Failed to delete
> role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute
> 'fSMORoleOwner': no matching attribute value while deleting attribute
> on 'CN=Infrastructure,DC=DomainDnsZones ,DC=example,DC=com'> <>
> root@dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root@dc3:~# samba-tool fsmo transfer --role domaindns ERROR: Failed
> to delete role 'domaindns': LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
> CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com has no write
> property access
> > <>
> root@dc3:~# samba-tool fsmo transfer --role domaindns -UAdministrator
> This DC already has the 'domaindns' FSMO role
> root@dc3:~# samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root@dc3:~# samba-tool fsmo transfer --role forestdns ERROR: Failed
> to delete role 'forestdns': LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
> CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com has no write
> property access
> > <>
> root@dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator
> Password for [Example\Administrator]: ERROR(<type
> 'exceptions.AttributeError'>): uncaught exception - 'module' object
> has no attribute 'drs_utils' File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 520, in
> run transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line
> 129, in transfer_dns_role except samba.drs_utils.drsException, e:
> root@dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root@dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator
> Password for [Example\Administrator]: ERROR: Failed to delete role
> 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE -  <attribute
> 'fSMORoleOwner': no matching attribute value while deleting attribute
> on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <>
> root@dc3:~# samba-tool fsmo transfer --role forestdns
> -UAdministrator Password for [Example\Administrator]: ERROR: Failed
> to delete role 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE -
> <attribute 'fSMORoleOwner': no matching attribute value while
> deleting attribute on
> 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <>
> root@dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator
> Password for [Example\Administrator]: ERROR: Failed to delete role
> 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE -  <attribute
> 'fSMORoleOwner': no matching attribute value while deleting attribute
> on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <>
> root@dc3:~# samba-tool fsmo show SchemaMasterRole owner:
> CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> root@dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator
> Password for [Example\Administrator]: ERROR: Failed to delete role
> 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE -  <attribute
> 'fSMORoleOwner': no matching attribute value while deleting attribute
> on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <>
> root@dc3:~# samba-tool fsmo transfer --role forestdns
> -UAdministrator This DC already has the 'forestdns' FSMO role
> root@dc3:~#
> samba-tool fsmo show SchemaMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> DomainDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> ForestDnsZonesMasterRole owner: CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
> 
> Thanks,
> 
> Mike Ray
> 

The problem is that you need to Authenticate to transfer the domaindns
and forestdns FSMO roles, this means you also need to authenticate if
you transfer 'all' the FSMO roles.

If 'samba-tool fsmo show is now displaying the correct owners and
everything is working correctly, you are probably going to be okay.

I will look into refusing to do anything if 'all' or 'domaindns' or
'forestdns' roles are selected without using authentication.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba