Bug 10924 - Seizing FSMO naming role fails: WERR_CONNECTION_REFUSED
Seizing FSMO naming role fails: WERR_CONNECTION_REFUSED
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools
4.1.13
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-06 16:46 UTC by Marc Muehlfeld
Modified: 2015-06-17 18:00 UTC (History)
5 users (show)

See Also:


Attachments
s4.2/fsmo.py: fixed fsmo transfer exception (1.33 KB, patch)
2015-02-26 21:45 UTC, Steve Howells
no flags Details
Patch for master (1.47 KB, text/plain)
2015-03-15 12:51 UTC, Marc Muehlfeld
mmuehlfeld: review+
Details
Patch for v4-2-test (1.58 KB, patch)
2015-06-01 08:03 UTC, Stefan Metzmacher
metze: review? (abartlet)
mmuehlfeld: review+
Details
Patch for v4-1-test (1.58 KB, patch)
2015-06-01 08:04 UTC, Stefan Metzmacher
metze: review? (abartlet)
mmuehlfeld: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2014-11-06 16:46:15 UTC
Problem: DC1 is lost. On DC2 you try to seize the roles. All work, only the naming role fails:


[root@DC2 ~]# samba-tool fsmo seize --role=rid
Attempting transfer...
Transfer unsuccessful, seizing...
FSMO seize of 'rid' role successful

[root@DC2 ~]# samba-tool fsmo seize --role=pdc
Attempting transfer...
Transfer unsuccessful, seizing...
FSMO seize of 'pdc' role successful                                                                     

[root@DC2 ~]# samba-tool fsmo seize --role=infrastructure                                     
Attempting transfer...
Transfer unsuccessful, seizing...                                                                       
FSMO seize of 'infrastructure' role successful                                                          

[root@DC2 ~]# samba-tool fsmo seize --role=schema                                                          
Attempting transfer...                                                                                   
Transfer unsuccessful, seizing...                                                                       
FSMO seize of 'schema' role successful                                                                  

[root@DC2 ~]# samba-tool fsmo seize --role=naming                                                          
Attempting transfer...                                                                                   
ERROR(ldb): uncaught exception - Failed FSMO transfer: WERR_CONNECTION_REFUSED                                       
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)                                                                   
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 160, in run   
    self.seize_role(role, samdb, force)                                                             
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 126, in seize_role   
    transfer_role(self.outf, role, samdb)                                                           
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 53, in transfer_role    
    samdb.modify(m)
Comment 1 Marc Muehlfeld 2014-11-06 16:53:42 UTC
Workaround:
If you force the seize command, it works:

# samba-tool fsmo seize --role=naming --force
Will not attempt transfer, seizing...
FSMO seize of 'naming' role successful
Comment 2 Steve Howells 2015-01-26 17:37:48 UTC
in /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py there is an extra call to samdb.modify(m) in the "naming" part of the if statement. Removing the call will fix the issue

def transfer_role(outf, role, samdb):
    m = ldb.Message()
    m.dn = ldb.Dn(samdb, "")
    if role == "rid":
        m["becomeRidMaster"]= ldb.MessageElement(
            "1", ldb.FLAG_MOD_REPLACE,
            "becomeRidMaster")
    elif role == "pdc":
        domain_dn = samdb.domain_dn()
        res = samdb.search(domain_dn,
                           scope=ldb.SCOPE_BASE, attrs=["objectSid"])
        assert len(res) == 1
        sid = res[0]["objectSid"][0]
        m["becomePdc"]= ldb.MessageElement(
            sid, ldb.FLAG_MOD_REPLACE,
            "becomePdc")
    elif role == "naming":
        m["becomeDomainMaster"]= ldb.MessageElement(
            "1", ldb.FLAG_MOD_REPLACE,
            "becomeDomainMaster")
        samdb.modify(m)                      <--------------- remove 
    elif role == "infrastructure":
        m["becomeInfrastructureMaster"]= ldb.MessageElement(
            "1", ldb.FLAG_MOD_REPLACE,
            "becomeInfrastructureMaster")
    elif role == "schema":
        m["becomeSchemaMaster"]= ldb.MessageElement(
            "1", ldb.FLAG_MOD_REPLACE,
            "becomeSchemaMaster")
    else:
        raise CommandError("Invalid FSMO role.")
    try:
        samdb.modify(m)
    except LdbError, (num, msg):
        raise CommandError("Failed to initiate transfer of '%s' role: %s" % (role, msg))
    outf.write("FSMO transfer of '%s' role successful\n" % role)
Comment 3 Steve Howells 2015-02-26 21:45:02 UTC
Created attachment 10799 [details]
s4.2/fsmo.py: fixed fsmo transfer exception
Comment 4 Stefan Metzmacher 2015-03-13 10:01:29 UTC
Comment on attachment 10799 [details]
s4.2/fsmo.py: fixed fsmo transfer exception

This looks good Reviewed-by: Stefan Metzmacher <metze@samba.org>
it just need a 2nd review and a Signed-off-by: tag
as well as a "Bug: https://bugzilla.samba.org/show_bug.cgi?id=10924" line
Comment 5 Marc Muehlfeld 2015-03-15 12:51:49 UTC
Created attachment 10873 [details]
Patch for master

Patch looks good to me and I've tested it (works).

I've re-attached the patch with Stefans + my Reviewed-By tag, Signed-Off tag + link to this bug report. If it's fine, Stefan, can you please push it to autobuild? Thanks.
Comment 6 Yuriy Tabolin 2015-05-28 12:52:52 UTC
I have two samba 4.1.17 servers with the same problem:
[root@dc1 /]# samba-tool fsmo transfer --role=naming
ldb_wrap open of secrets.ldb
ERROR(ldb): uncaught exception - Failed FSMO transfer: WERR_CONNECTION_REFUSED
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line 268, in run
    transfer_role(self.outf, role, samdb)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line 53, in transfer_role
    samdb.modify(m)


All other roles seized fine. Force seize command is deprecated in 4.1.17 as I thought.
[root@dc1 /]# samba-tool fsmo transfer --role=naming --force
Usage: samba-tool fsmo transfer [options]

samba-tool fsmo transfer: error: no such option: --force
Comment 7 Stefan Metzmacher 2015-06-01 08:03:51 UTC
Created attachment 11112 [details]
Patch for v4-2-test
Comment 8 Stefan Metzmacher 2015-06-01 08:04:23 UTC
Created attachment 11113 [details]
Patch for v4-1-test
Comment 9 Karolin Seeger 2015-06-06 20:10:05 UTC
Pushed to autobuild-v4-[1|2]-test.
Comment 10 Karolin Seeger 2015-06-09 19:37:36 UTC
(In reply to Karolin Seeger from comment #9)
Pushed to v4-2-test.
autobuild-v4-1-test failed, re-trying.
Comment 11 Karolin Seeger 2015-06-17 18:00:51 UTC
(In reply to Karolin Seeger from comment #10)
Pushed to v4-1-test.
Closing out bug report.

Thanks!