Overview: Attempt to demote a DC using: samba-tool domain demote -Uadministrator command. Two DCs in the domain - DC1 holding all FSMO roles, replication working, SysVol replication working and samba-tool ntacl sysvolcheck produced no errors. Steps to Reproduce: Can be easily reproduced by joining another server as DC. After configuring SysVol replication and checking all is working, attempt another demote. Result of entering the samba-tool domain demote command: root@dc2:~# samba-tool domain demote -Uadministrator Using dc1.microlynx.com as partner server for the demotion Password for [MICROLYNX\administrator]: Deactivating inbound replication Asking partner server dc1.microlynx.com to synchronize from us Changing userControl and container ERROR(<type 'exceptions.TypeError'>): uncaught exception - remove_sysvol_references() takes exactly 3 arguments (2 given) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 943, in run remove_dc.remove_sysvol_references(remote_samdb, dc_name) root@dc2:~# Expected result: Graceful demotion of the DC with the remaining DC correctly removing all entries to the demoted DC in Active Directory and DNS. Build and hardware: Samba was compiled from source (version 4.4.0) using just the following configure options: --sysconfdir=/etc/samba and --disable-cups Platform was new installs of Debian v8.3 (jessie) on i686 processor-based hardware for both DCs. Domain was provisioned using --use-rfc2307 and --dns-backend=SAMBA_INTERNAL. (Have tested another DC, this time on a 64-bit machine with same result).
Created attachment 11953 [details] Adds missing word This patch should fix the problem, I have also sent the patch to samba-technical for consideration.
Comment on attachment 11953 [details] Adds missing word The more concerning issue is why this wasn't a tested codepath. Can you look at our tests and see what we need to add? Thanks,
(In reply to Andrew Bartlett from comment #2) The online samba-tool demote case is listed as a flapping test, which is why this code is essentially untested. Fixing bug 11882 (and perhaps some other replication bugs) will allow the existing test to be used again.
After applying both this patch and the one related to bug 11882 to samba 4.4.2 I was able to successfully demote an AD DC. Before the patch all demotion attempts failed.
I applied this patch together with the one related to bug 11818.
Fixed in Samba 4.5.0rc1 by f777ca33c677cc6a7f4e52606b83c5002e3e6b71