Bug 10734 - Transfering roles to other DC on the domain is succesfully, but demoting the previous owner of the roles fails
Transfering roles to other DC on the domain is succesfully, but demoting the ...
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.1.9
x64 Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on: 11882
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-22 17:57 UTC by Fernando
Modified: 2016-07-30 02:06 UTC (History)
15 users (show)

See Also:


Attachments
Patch for v4-2-test (20.63 KB, patch)
2015-08-06 10:57 UTC, Stefan Metzmacher
metze: review? (abartlet)
metze: review? (jelmer)
Details
Patch for v4-1-test (20.63 KB, patch)
2015-08-06 10:58 UTC, Stefan Metzmacher
metze: review? (abartlet)
metze: review? (jelmer)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Fernando 2014-07-22 17:57:28 UTC
Three DC on domain: HOORN (owner of the roles), VOLENDAM, TILBURG

HOORN stoped making replication to VOLENDAM/TILBURG:

root@hoorn:/home/newhang# samba-tool drs showrepl
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
hoorn.solid-optics.local failed - drsException: DRS connection to
hoorn.solid-optics.local failed: (-1073741643, 'NT_STATUS_IO_TIMEOUT')
   File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line
39, in drsuapi_connect
     (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) =
drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
   File
"/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line
54, in drsuapi_connect
     raise drsException("DRS connection to %s failed: %s" % (server, e))
root@hoorn:/home/newhang# 


executed command: samba-tool fsmo transfer --role=all -U administrator --realm=solid-optics.local.

All roles were transfered succesfully.

HOORN output (previous owner of the roles)
root@hoorn:/home/newhang# samba-tool fsmo show
> InfrastructureMasterRole owner: CN=NTDS
> Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local

> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
>
> PdcEmulationMasterRole owner: CN=NTDS
> Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local

> DomainNamingMasterRole owner: CN=NTDS
> Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local

> SchemaMasterRole owner: CN=NTDS
> Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local 

Output on VOLENDAM/TILBURG is the same. Same information appears on windows GUI AD management tool


After trying demote of HOORN:
> root@hoorn:/home/newhang# samba-tool domain demote
> ERROR: Current DC is still the owner of 2 role(s), use the role command
> to transfer roles to another DC
> root@hoorn:/home/newhang# 

the command samba-tool drs showrepl shows that replication is ok between ALL DC:
Volendam:
root@volendam:/home/newhang# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
RidAllocationMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
DomainNamingMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
SchemaMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local

root@volendam:/home/newhang# samba-tool drs showrepl
Default-First-Site-Name\VOLENDAM
DSA Options: 0x00000001
DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38
DSA invocationId: 5a66b068-ae8b-4f7b-8a6a-aa9aeb33ab2e

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\TILBURG via RPC
                DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6
                Last attempt @ Sat Jul 19 12:25:49 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:25:49 2014 CEST

CN=Schema,CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Sat Jul 19 12:25:50 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:25:50 2014 CEST

CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\TILBURG via RPC
                DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6
                Last attempt @ Sat Jul 19 12:25:50 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:25:50 2014 CEST

CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Sat Jul 19 12:25:51 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:25:51 2014 CEST

DC=DomainDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\TILBURG via RPC
                DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6
                Last attempt @ Sat Jul 19 12:25:47 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:25:47 2014 CEST

DC=DomainDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Sat Jul 19 12:25:48 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:25:48 2014 CEST

DC=ForestDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\TILBURG via RPC
                DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6
                Last attempt @ Sat Jul 19 12:25:48 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:25:48 2014 CEST

DC=ForestDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Sat Jul 19 12:25:49 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:25:49 2014 CEST

DC=solid-optics,DC=local
        Default-First-Site-Name\TILBURG via RPC
                DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6
                Last attempt @ Sat Jul 19 12:25:52 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:25:52 2014 CEST

DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Sat Jul 19 12:25:52 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:25:52 2014 CEST

==== OUTBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\TILBURG via RPC
                DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\TILBURG via RPC
                DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Sat Jul 19 12:24:23 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:24:23 2014 CEST

DC=DomainDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\TILBURG via RPC
                DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\TILBURG via RPC
                DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Fri Jul 18 17:18:06 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Fri Jul 18 17:18:06 2014 CEST

DC=solid-optics,DC=local
        Default-First-Site-Name\TILBURG via RPC
                DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 01ddbc6d-9eb3-43cd-9cf3-b77e279c1305
        Enabled        : TRUE
        Server DNS name : TILBURG.solid-optics.local
        Server DN name  : CN=NTDS Settings,CN=TILBURG,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
        Connection name: 3addea62-2b75-4f83-a56b-b3407db5ea27
        Enabled        : TRUE
        Server DNS name : HOORN.solid-optics.local
        Server DN name  : CN=NTDS Settings,CN=HOORN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
root@volendam:/home/newhang#




TILBURG
root@tilburg:/home/newhang# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
RidAllocationMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
DomainNamingMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
SchemaMasterRole owner: CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local

root@tilburg:/home/newhang# samba-tool drs showrepl
Default-First-Site-Name\TILBURG
DSA Options: 0x00000001
DSA object GUID: 0799ccb2-20c6-4f32-999c-ddb7a48a0ed6
DSA invocationId: d3b37458-35cf-4719-aed1-000335ccf439

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\VOLENDAM via RPC
                DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38
                Last attempt @ Sat Jul 19 12:26:31 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:26:31 2014 CEST

CN=Schema,CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Sat Jul 19 12:26:32 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:26:32 2014 CEST

CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\VOLENDAM via RPC
                DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38
                Last attempt @ Sat Jul 19 12:26:32 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:26:32 2014 CEST

CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Sat Jul 19 12:26:33 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:26:33 2014 CEST

DC=DomainDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\VOLENDAM via RPC
                DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38
                Last attempt @ Sat Jul 19 12:26:30 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:26:30 2014 CEST

DC=DomainDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Sat Jul 19 12:26:30 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:26:30 2014 CEST

DC=ForestDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\VOLENDAM via RPC
                DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38
                Last attempt @ Sat Jul 19 12:26:30 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:26:30 2014 CEST

DC=ForestDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Sat Jul 19 12:26:31 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:26:31 2014 CEST

DC=solid-optics,DC=local
        Default-First-Site-Name\VOLENDAM via RPC
                DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38
                Last attempt @ Sat Jul 19 12:26:33 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:26:33 2014 CEST

DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Sat Jul 19 12:26:34 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:26:34 2014 CEST

==== OUTBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\VOLENDAM via RPC
                DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=solid-optics,DC=local
        Default-First-Site-Name\VOLENDAM via RPC
                DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Sat Jul 19 12:24:23 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Sat Jul 19 12:24:23 2014 CEST

DC=DomainDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\VOLENDAM via RPC
                DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=solid-optics,DC=local
        Default-First-Site-Name\VOLENDAM via RPC
                DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=solid-optics,DC=local
        Default-First-Site-Name\HOORN via RPC
                DSA object GUID: b8bbec55-2f48-47b5-b606-d22e318b7c1f
                Last attempt @ Fri Jul 18 17:18:06 2014 CEST was successful
                0 consecutive failure(s).
                Last success @ Fri Jul 18 17:18:06 2014 CEST

DC=solid-optics,DC=local
        Default-First-Site-Name\VOLENDAM via RPC
                DSA object GUID: cb1b21b6-e525-426d-a277-c86110644b38
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 6d55f4b5-22e0-420b-a27f-e313a423079c
        Enabled        : TRUE
        Server DNS name : VOLENDAM.solid-optics.local
        Server DN name  : CN=NTDS Settings,CN=VOLENDAM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
        Connection name: 73f3d261-4ed7-4a3f-9822-47ec62d0c159
        Enabled        : TRUE
        Server DNS name : HOORN.solid-optics.local
        Server DN name  : CN=NTDS Settings,CN=HOORN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=solid-optics,DC=local
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!
root@tilburg:/home/newhang# 


But same command on failed DC shows:
root@hoorn:/home/newhang# samba-tool drs showrepl
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to hoorn.solid-optics.local failed - drsException: DRS connection to hoorn.solid-optics.local failed: (-1073741643, 'NT_STATUS_IO_TIMEOUT')
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line 39, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))
root@hoorn:/home/newhang# 


Fernando
Comment 1 Fernando 2014-07-22 17:58:58 UTC
If more information is needed in order to reproduce the problem, please contact me.

Thank you
Comment 2 Michael Adam 2014-08-20 06:53:43 UTC
I just stumbled over this a few days ago myself.
A look at the code shows that there are in fact
2 additional roles that "samba-tool fsmo" is not
aware of. These roles are neither displayed nor
transferred but samba-tool domain demote's filter
finds them.

More details to follow...

Michael
Comment 3 Stefan Metzmacher 2014-08-25 17:34:27 UTC
(In reply to comment #2)
> I just stumbled over this a few days ago myself.
> A look at the code shows that there are in fact
> 2 additional roles that "samba-tool fsmo" is not
> aware of. These roles are neither displayed nor
> transferred but samba-tool domain demote's filter
> finds them.
> 
> More details to follow...

CN=Infrastructure,DC=ForestDnsZones,DC=...
CN=Infrastructure,DC=DomainDnsZones,DC=...
Comment 4 David Mansfield 2014-10-15 14:30:35 UTC
This email seems to indicate 4.0 is/was affected as well:

https://lists.samba.org/archive/samba/2013-March/172078.html

Can someone confirm/deny if 4.0 series is affected?
Comment 5 Alex 2014-10-22 18:07:57 UTC
I have Ubuntu 10.10 with samba 4.0.0(db1) as DC(test.loc) and I installed a new DC on samba4.1.11.
I successfully added new samba as a new DC  to old DC. 
and now !!!!before transferring roles I try to demote old server:

root@db1:~# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS Settings,CN=DB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=loc
RidAllocationMasterRole owner: CN=NTDS Settings,CN=DB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=loc
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=loc
DomainNamingMasterRole owner: CN=NTDS Settings,CN=DB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=loc
SchemaMasterRole owner: CN=NTDS Settings,CN=DB1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=loc

root@db1:~# samba-tool domain demote
ERROR: Current DC is still the owner of 7 role(s), use the role command to transfer roles to another DC

As you can see there are 7 roles on old DC.
And even all 5 FSMO roles transfer successfully - remain 2 undiscovered roles. and finally they prevent demoting old DC.
Comment 6 Mārtiņš 2014-11-21 14:50:02 UTC
Also hit this bug.

user@DC1 sudo samba-tool domain demote
ERROR: Current DC is still the owner of 2 role(s), use the role command to transfer roles to another DC

samba-tool fsmo show on both servers displays only 5 roles that belong to the DC2.


Is there a workaround yet?
Can I remove the DC1 server disregarding the warning or will it break domain functionality?
Comment 7 Marc Muehlfeld 2014-11-24 19:03:28 UTC
(In reply to Mārtiņš from comment #6)
> Is there a workaround yet?

Only to edit the AD manually (not recommended, until you're absolutely sure, what you're doing and what consequences it will have!)



> Can I remove the DC1 server disregarding the warning or will it break domain 
> functionality?

You have to demote the DC, to get everything about it out of the AD. If you simply remove the DC without demoting (what you can't because of this bug here), everything stays. It can cause e. g. timeouts during logon, because workstations try to logon to the removed DC.
Comment 8 Adam Tauno Williams 2014-12-12 17:46:34 UTC
For work-around I have managed to find the following two approaches.  I have not tried these but some others have reported success.  I have an old DC I now really need to remove.

approach 1:

Use microsoft's dead DC removal vb script does a much better job and works too.
http://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

approach 2:

seeAlso http://support.microsoft.com/kb/216498
  2.  Remove old computer account by using "Active Directory Sites and Services" tool.
  3.  Remove old DNS and WINS records of the orphaned Domain Controller.
  4. Use "ADSIEdit" to remove old computer records from the Active Directory:
     a. OU=Domain Controllers,DC=domain,DC=local
     b. CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
     c. CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=local
Comment 9 Jason 2015-03-25 17:05:44 UTC
This seems like a rather serious bug. If I'm understanding correctly, this prevents anyone from transferring roles and demoting the DC (to decommission) from a Samba DC to Samba DC, Windows DC to Samba DC, or Samba DC to Windows DC. Thus making your "multi-master" redundancy a bit of an issue, no?

I had tried this over a year ago and ran into this issue. I thought it was just my fault. I had a Samba DC I setup quickly in a jam and had planned to move it. The move took a bit longer and then found that I was unable to transfer the roles to the new DC and decommission. Wiping and starting over really isn't viable when you have Group Policy and accounts with passwords already set and a bunch of computers already added to the domain.

Sure hope this gets resolved soon so I don't have to resort to trying the MS script or redoing the whole domain!
Comment 10 froman 2015-05-13 03:29:26 UTC
I have one system with two samba DC 4.0.0
and other system with two samba DC 4.2.1

both of them has the same problem.


this is critical, if the PDC dies, the other DC does nothing and the entire domain go offline
Comment 11 Kai Hofen 2015-08-06 02:39:05 UTC
Hello,
I am running Samba 4.1.6 on two Ubuntu servers. One of them is going to be demoted after a successful transfer of all roles since it has a problem with its network adapter.

If I got it right there is no more recent version of samba that solves the bug.

Is there a chance that this samba bug is solved soon?

The problematic machine runs in 10Mbit mode and is a bottleneck in the network. I would like to remove it as soon as possible.

Cheers,
Kai
Comment 12 Stefan Metzmacher 2015-08-06 10:57:40 UTC
Created attachment 11312 [details]
Patch for v4-2-test
Comment 13 Stefan Metzmacher 2015-08-06 10:58:18 UTC
Created attachment 11313 [details]
Patch for v4-1-test
Comment 14 Jiri Cerny 2015-08-06 11:10:36 UTC
Hello,
new upcoming release Samba 4.3 looks ok.
I tested 4.3.0rc1. samba-tool fsmo transfer/seize can handle all 7 FSMO roles. So DC can be demoted after transfer (but take care of remaining DNS entries).

As you can see metze just uploaded patches for 4.1 and 4.2. So next release of 4.1 and 4.2 will be ok too.



Dead DC is serious problem, because there is no native Samba tool, which can delete it. I tested it in my lab. At first I seized all FSMO roles, after that I used MS VB script to clean DC's metadata and deleted all remaining DNS entries. Everything looks ok after this procedure.



Jiri
Comment 15 Josip Begic 2015-09-02 13:56:28 UTC
Hello,
We tested fsmo role transfer between windows 2008r2 DC and samba DC and got this error:

ERROR: Failed to add role 'domaindns': LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <000020AE: SvcErr: DSID-03152965, problem 5003 (WILL_NOT_PERFORM), data 0

After that fSMORoleOwner attribute on both DCs is not set. 
We tried that on samba 4.2.3 with patch and samba 4.3 rc4 with the same results.

Probably because of that error we can not demote windows DC without forcing.

We also tried to change fSMORoleOwner attribute manually with ADSI edit on samba DC and it does not replicate to windows DC. If we try that with two windows DCs, attribute replicates as expected.


Is there a chance that this samba bug is solved soon?

Cheers,
Josip
Comment 16 Ole 2015-10-27 16:38:38 UTC
Despite Jiris announcement I haven't found this bug being addressed by the release notes of any of the newer versions.

Is the current state still "not resolved"?
Comment 17 Karolin Seeger 2015-10-28 08:18:13 UTC
(In reply to Ole from comment #16)
Yes, unfortunately it has not been picked up for the releases, because it has not been reviewed yet.
Comment 18 Karolin Seeger 2015-10-28 08:19:14 UTC
Is someone volunteering for review?
Comment 19 Ole 2015-10-28 09:19:08 UTC
Thanks for the Update, Karolin. My first reponse would be "What is a review in this regard?", so probably I am not the guy for this.

I was just wondering because the release notes of 4.3.0 say that Samba now is capable of viewing AND transferring all of the 7 FSMO roles - but no mentioning of this bug. So this is actually not true?
Comment 20 Karolin Seeger 2015-10-28 09:43:19 UTC
(In reply to Ole from comment #19)
A patch needs to be reviewed by at least two members of the Samba team before ending up in a release.
Comment 21 Andrew Bartlett 2016-07-30 02:06:07 UTC
This is fixed in Samba 4.3 per the comments, but due to other regressions and issues such as bug 11882 I suggest using 4.5.0rc1 or later.

Samba 4.2 is in security fixes only mode, so no further non-security patches will be applied there.

Sorry for the delays and the series of issues in this area, with the new code now under automated test, this should now be reliable.

See also samba-tool domain demote --remove-other-dead-server, which does a more comprehensive cleanup.