Bug 10902 - Demote of RODC with samba-tool fails
Summary: Demote of RODC with samba-tool fails
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.1.13
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2014-10-28 11:02 UTC by Roel van Meer
Modified: 2015-12-22 06:37 UTC (History)
3 users (show)

See Also:

Modify remote SamDB when demoting a RODC (5.13 KB, patch)
2014-10-28 11:24 UTC, Roel van Meer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Roel van Meer 2014-10-28 11:02:53 UTC
I have samba 4.1.13 running as AD DC. I can join, with samba-tool, a second samba 4.1.13 installation as a RODC, but if I try to demote this RODC with samba-tool, it fails with an error: "ERROR(ldb): uncaught exception - Invalid LDB reply type 1".

Transcript will follow.
Comment 1 Roel van Meer 2014-10-28 11:04:48 UTC
### transcript of the join

root@s4-member:/tmp# samba-tool domain join s4.local RODC -Udago%Hallo123
Finding a writeable DC for domain 's4.local'
Found DC 1a-test-samba4.s4.local
workgroup is S4
realm is s4.local
checking sAMAccountName
Adding CN=S4-MEMBER,OU=Domain Controllers,DC=s4,DC=local
Adding CN=krbtgt_S4-MEMBER,CN=Users,DC=s4,DC=local
Got krbtgt_name=krbtgt_12921
Renaming CN=krbtgt_S4-MEMBER,CN=Users,DC=s4,DC=local to CN=krbtgt_12921,CN=Users,DC=s4,DC=local
Adding CN=S4-MEMBER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4,DC=local
Adding CN=NTDS Settings,CN=S4-MEMBER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4,DC=local
Adding CN=RODC Connection (FRS),CN=NTDS Settings,CN=S4-MEMBER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4,DC=local
Adding SPNs to CN=S4-MEMBER,OU=Domain Controllers,DC=s4,DC=local
Setting account password for S4-MEMBER$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=s4,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=s4,DC=local] objects[402/1591] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=s4,DC=local] objects[804/1591] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=s4,DC=local] objects[1206/1591] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=s4,DC=local] objects[1591/1591] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=s4,DC=local] objects[402/1693] linked_values[0/0]
Partition[CN=Configuration,DC=s4,DC=local] objects[804/1693] linked_values[0/0]
Partition[CN=Configuration,DC=s4,DC=local] objects[1206/1693] linked_values[0/0]
Partition[CN=Configuration,DC=s4,DC=local] objects[1608/1693] linked_values[0/0]
Partition[CN=Configuration,DC=s4,DC=local] objects[1693/1693] linked_values[25/0]
Replicating critical objects from the base DN of the domain
Partition[DC=s4,DC=local] objects[97/97] linked_values[45/0]
Partition[DC=s4,DC=local] objects[463/366] linked_values[67/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=s4,DC=local
Partition[DC=DomainDnsZones,DC=s4,DC=local] objects[402/737] linked_values[0/0]
Partition[DC=DomainDnsZones,DC=s4,DC=local] objects[737/737] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=s4,DC=local
Partition[DC=ForestDnsZones,DC=s4,DC=local] objects[18/18] linked_values[0/0]
Partition[DC=ForestDnsZones,DC=s4,DC=local] objects[36/18] linked_values[0/0]
Exop on[CN=S4-MEMBER,OU=Domain Controllers,DC=s4,DC=local] objects[1] linked_values[8]
Exop on[CN=krbtgt_12921,CN=Users,DC=s4,DC=local] objects[1] linked_values[0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting RODC invocationId
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain S4 (SID S-1-5-21-3770713487-2807704504-1782712704) as an RODC

### transcript of the demote
root@s4-member:/tmp# samba-tool domain demote -Udago%Hallo123
Using 1a-test-samba4.s4.local as partner server for the demotion
Desactivating inbound replication
ERROR(ldb): uncaught exception - Invalid LDB reply type 1
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 640, in run

### Samba config of the RODC

root@s4-member:/tmp# cat /etc/samba/smb.conf
# Global parameters
        workgroup = S4
        realm = s4.local
        netbios name = S4-MEMBER
        server string = s4-member
        server role = active directory domain controller
        security = auto
        idmap_ldb:use rfc2307 = yes
        interfaces =
        bind interfaces only = Yes
        hosts allow = LOCAL/unixdom
        dns forwarder =

        path = /var/lib/samba/sysvol/s4.local/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No
Comment 2 Roel van Meer 2014-10-28 11:19:00 UTC
After looking at the samba-tool code, my guess is that we're trying to disable inbound replication on the RODC itself, but because the RODC is read-only, that fails.

A solution that worked in my case was to disable inbound replication not in the entry in our own samdb, but in the entry in the remote samdb. However, I don't know enough about this to know if it's a correct solution or not. I add it here in the hope that it might be helpful.
Comment 3 Roel van Meer 2014-10-28 11:24:10 UTC
Created attachment 10374 [details]
Modify remote SamDB when demoting a RODC
Comment 4 Darik Horn 2014-12-13 18:09:34 UTC
The proposed patch does not resolve this bug when it is applied to the Samba 4.1.14-SerNet-Ubuntu-9 source package, but the error message is slightly different:

# samba-tool domain demote -Udajhorn@example.com
Using dc1.example.com as partner server for the demotion
Password for [dajhorn@example.com]:
Desactivating inbound replication
Changing userControl and container
Error while demoting, re-enabling inbound replicationERROR(ldb): Error while changing account control - LDAP error 80 LDAP_OTHER -  <00000057: SysErr: DSID-031A1202, problem 22 (Invalid argument), data 0
> <>

The failure is logged as:

[2014/12/13 12:53:46.723494,  0] ../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit)
  Failed to apply records: Conflict adding object 'DC=_ldap._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=example,DC=com' from incoming replication as we are read only for the partition.
   - We must fail the operation until a master for this partition resolves the conflict: Entry already exists
[2014/12/13 12:53:46.723962,  0] ../source4/dsdb/repl/drepl_out_helpers.c:733(dreplsrv_op_pull_source_apply_changes_trigger)
Comment 5 mm13@ezplanet.net (dead mail address) 2015-10-02 16:41:55 UTC
I have the same problem on CentOS 6, CentOS 7 using sernet-samba-4.2.4

[root@myrodc ~]# samba-tool domain demote -UAdministrator
Using myrodc.mydomain.org as partner server for the demotion
Password for [MYAD\Administrator]:
Deactivating inbound replication
ERROR(ldb): uncaught exception - Invalid LDB reply type 1
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line 702, in run
Comment 6 Andrew Bartlett 2015-10-07 01:12:04 UTC
I'm working on this for another client, I expect to have patches in master soon, or else see my demote-dc branch on git://git.catalyst.net.nz
Comment 7 Andrew Bartlett 2015-12-22 06:37:59 UTC
This has been fixes in master with f121173cbf46fe64746d73adf40015c43d5c55fc and will be fixed in Samba 4.4.