Bug 10902 - Demote of RODC with samba-tool fails
Summary: Demote of RODC with samba-tool fails
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.1.13
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-28 11:02 UTC by Roel van Meer
Modified: 2015-12-22 06:37 UTC (History)
3 users (show)

See Also:

Attachments
Modify remote SamDB when demoting a RODC (5.13 KB, patch)
2014-10-28 11:24 UTC, Roel van Meer 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Roel van Meer 2014-10-28 11:02:53 UTC 
I have samba 4.1.13 running as AD DC. I can join, with samba-tool, a second samba 4.1.13 installation as a RODC, but if I try to demote this RODC with samba-tool, it fails with an error: "ERROR(ldb): uncaught exception - Invalid LDB reply type 1".

Transcript will follow.
Comment 1 Roel van Meer 2014-10-28 11:04:48 UTC 
### transcript of the join

root@s4-member:/tmp# samba-tool domain join s4.local RODC -Udago%Hallo123
Finding a writeable DC for domain 's4.local'
Found DC 1a-test-samba4.s4.local
workgroup is S4
realm is s4.local
checking sAMAccountName
Adding CN=S4-MEMBER,OU=Domain Controllers,DC=s4,DC=local
Adding CN=krbtgt_S4-MEMBER,CN=Users,DC=s4,DC=local
Got krbtgt_name=krbtgt_12921
Renaming CN=krbtgt_S4-MEMBER,CN=Users,DC=s4,DC=local to CN=krbtgt_12921,CN=Users,DC=s4,DC=local
Adding CN=S4-MEMBER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4,DC=local
Adding CN=NTDS Settings,CN=S4-MEMBER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4,DC=local
Adding CN=RODC Connection (FRS),CN=NTDS Settings,CN=S4-MEMBER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4,DC=local
Adding SPNs to CN=S4-MEMBER,OU=Domain Controllers,DC=s4,DC=local
Setting account password for S4-MEMBER$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=s4,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=s4,DC=local] objects[402/1591] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=s4,DC=local] objects[804/1591] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=s4,DC=local] objects[1206/1591] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=s4,DC=local] objects[1591/1591] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=s4,DC=local] objects[402/1693] linked_values[0/0]
Partition[CN=Configuration,DC=s4,DC=local] objects[804/1693] linked_values[0/0]
Partition[CN=Configuration,DC=s4,DC=local] objects[1206/1693] linked_values[0/0]
Partition[CN=Configuration,DC=s4,DC=local] objects[1608/1693] linked_values[0/0]
Partition[CN=Configuration,DC=s4,DC=local] objects[1693/1693] linked_values[25/0]
Replicating critical objects from the base DN of the domain
Partition[DC=s4,DC=local] objects[97/97] linked_values[45/0]
Partition[DC=s4,DC=local] objects[463/366] linked_values[67/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=s4,DC=local
Partition[DC=DomainDnsZones,DC=s4,DC=local] objects[402/737] linked_values[0/0]
Partition[DC=DomainDnsZones,DC=s4,DC=local] objects[737/737] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=s4,DC=local
Partition[DC=ForestDnsZones,DC=s4,DC=local] objects[18/18] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=s4,DC=local] objects[36/18] linked_values[0/0]
Exop on[CN=S4-MEMBER,OU=Domain Controllers,DC=s4,DC=local] objects[1] linked_values[8]
Exop on[CN=krbtgt_12921,CN=Users,DC=s4,DC=local] objects[1] linked_values[0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting RODC invocationId
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain S4 (SID S-1-5-21-3770713487-2807704504-1782712704) as an RODC


### transcript of the demote
root@s4-member:/tmp# samba-tool domain demote -Udago%Hallo123
Using 1a-test-samba4.s4.local as partner server for the demotion
Desactivating inbound replication
ERROR(ldb): uncaught exception - Invalid LDB reply type 1
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 640, in run
    samdb.modify(nmsg)


### Samba config of the RODC

root@s4-member:/tmp# cat /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = S4
        realm = s4.local
        netbios name = S4-MEMBER
        server string = s4-member
        server role = active directory domain controller
        security = auto
        idmap_ldb:use rfc2307 = yes
        interfaces = 192.168.1.11/24 127.255.255.255/8
        bind interfaces only = Yes
        hosts allow = 192.168.1.0/255.255.255.0 127.0.0.1 LOCAL/unixdom
        dns forwarder = 127.0.0.2

[netlogon]
        path = /var/lib/samba/sysvol/s4.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
Comment 2 Roel van Meer 2014-10-28 11:19:00 UTC 
After looking at the samba-tool code, my guess is that we're trying to disable inbound replication on the RODC itself, but because the RODC is read-only, that fails.

A solution that worked in my case was to disable inbound replication not in the entry in our own samdb, but in the entry in the remote samdb. However, I don't know enough about this to know if it's a correct solution or not. I add it here in the hope that it might be helpful.
Comment 3 Roel van Meer 2014-10-28 11:24:10 UTC 
Created attachment 10374 [details]
Modify remote SamDB when demoting a RODC
Comment 4 Darik Horn 2014-12-13 18:09:34 UTC 
The proposed patch does not resolve this bug when it is applied to the Samba 4.1.14-SerNet-Ubuntu-9 source package, but the error message is slightly different:

# samba-tool domain demote -Udajhorn@example.com
Using dc1.example.com as partner server for the demotion
Password for [dajhorn@example.com]:
Desactivating inbound replication
Changing userControl and container
Error while demoting, re-enabling inbound replicationERROR(ldb): Error while changing account control - LDAP error 80 LDAP_OTHER -  <00000057: SysErr: DSID-031A1202, problem 22 (Invalid argument), data 0
> <>


The failure is logged as:

[2014/12/13 12:53:46.723494,  0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
  Failed to apply records: Conflict adding object 'DC=_ldap._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com' from incoming replication as we are read only for the partition.
   - We must fail the operation until a master for this partition resolves the conflict: Entry already exists
[2014/12/13 12:53:46.723962,  0] ../source4/dsdb/repl/drepl_out_helpers.c:733(dreplsrv_op_pull_source_apply_changes_trigger)
  Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
Comment 5 mm13@ezplanet.net (dead mail address) 2015-10-02 16:41:55 UTC 
I have the same problem on CentOS 6, CentOS 7 using sernet-samba-4.2.4

[root@myrodc ~]# samba-tool domain demote -UAdministrator
Using myrodc.mydomain.org as partner server for the demotion
Password for [MYAD\Administrator]:
Deactivating inbound replication
ERROR(ldb): uncaught exception - Invalid LDB reply type 1
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 702, in run
    samdb.modify(nmsg)
Comment 6 Andrew Bartlett 2015-10-07 01:12:04 UTC 
I'm working on this for another client, I expect to have patches in master soon, or else see my demote-dc branch on git://git.catalyst.net.nz
Comment 7 Andrew Bartlett 2015-12-22 06:37:59 UTC 
This has been fixes in master with f121173cbf46fe64746d73adf40015c43d5c55fc and will be fixed in Samba 4.4.