Bug 11818 - Demote a working DC fails with uncaught exception
Summary: Demote a working DC fails with uncaught exception
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.4.0
Hardware: All Linux
: P5 minor (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on: 11882
  Show dependency treegraph
Reported: 2016-03-31 11:15 UTC by Roy Eastwood
Modified: 2016-07-29 03:28 UTC (History)
3 users (show)

See Also:

Adds missing word (1.11 KB, patch)
2016-03-31 12:41 UTC, Rowland Penny
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Roy Eastwood 2016-03-31 11:15:37 UTC
Overview:  Attempt to demote a DC using: samba-tool domain demote -Uadministrator command.   Two DCs in the domain - DC1 holding all FSMO roles, replication working, SysVol replication working and samba-tool ntacl sysvolcheck produced no errors.

Steps to Reproduce: Can be easily reproduced by joining another server as DC.   After configuring SysVol replication and checking all is working, attempt another demote.

Result of entering the samba-tool domain demote command:
root@dc2:~# samba-tool domain demote -Uadministrator
Using dc1.microlynx.com as partner server for the demotion
Password for [MICROLYNX\administrator]:
Deactivating inbound replication
Asking partner server dc1.microlynx.com to synchronize from us
Changing userControl and container
ERROR(<type 'exceptions.TypeError'>): uncaught exception - remove_sysvol_references() takes exactly 3 arguments (2 given)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 943, in run
    remove_dc.remove_sysvol_references(remote_samdb, dc_name)

Expected result: Graceful demotion of the DC with the remaining DC correctly removing all entries to the demoted DC in Active Directory and DNS.

Build and hardware: Samba was compiled from source (version 4.4.0) using just the following configure options: --sysconfdir=/etc/samba and --disable-cups
Platform was new installs of Debian v8.3 (jessie) on i686 processor-based hardware for both DCs.   Domain was provisioned using --use-rfc2307 and --dns-backend=SAMBA_INTERNAL.

(Have tested another DC, this time on a 64-bit machine with same result).
Comment 1 Rowland Penny 2016-03-31 12:41:40 UTC
Created attachment 11953 [details]
Adds missing word

This patch should fix the problem, I have also sent the patch to samba-technical for consideration.
Comment 2 Andrew Bartlett 2016-03-31 18:47:19 UTC
Comment on attachment 11953 [details]
Adds missing word

The more concerning issue is why this wasn't a tested codepath.  Can you look at our tests and see what we need to add?

Comment 3 Andrew Bartlett 2016-04-29 22:37:45 UTC
(In reply to Andrew Bartlett from comment #2)
The online samba-tool demote case is listed as a flapping test, which is why this code is essentially untested.

Fixing bug 11882 (and perhaps some other replication bugs) will allow the existing test to be used again.
Comment 4 Miguel Medalha 2016-05-07 17:25:21 UTC
After applying both this patch and the one related to bug 11882 to samba 4.4.2 I was able to successfully demote an AD DC. Before the patch all demotion attempts failed.
Comment 5 Miguel Medalha 2016-05-07 17:29:43 UTC
I applied this patch together with the one related to bug 11818.
Comment 6 Andrew Bartlett 2016-07-29 03:28:38 UTC
Fixed in Samba 4.5.0rc1 by f777ca33c677cc6a7f4e52606b83c5002e3e6b71