Hi There, We have recently upgraded two of our customer directories from 4.1.17 to 4.5.8 with that i also wanted to change the DNS FSMO roles since those were still on the server that was first installed in their environment instead on the dedicated server we introduced later. Now i've already done this with a different customers directory that we've put on 4.4.6 without a problem but with 4.5.8 i seem to be unable to do this with both the customers i'm trying this with. See the error below. root@gc:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=GC,CN=Servers,CN=Servicebureau,CN=Sites,CN=Configuration,DC=customer InfrastructureMasterRole owner: CN=NTDS Settings,CN=GC,CN=Servers,CN=Servicebureau,CN=Sites,CN=Configuration,DC=customer RidAllocationMasterRole owner: CN=NTDS Settings,CN=GC,CN=Servers,CN=Servicebureau,CN=Sites,CN=Configuration,DC=customer PdcEmulationMasterRole owner: CN=NTDS Settings,CN=GC,CN=Servers,CN=Servicebureau,CN=Sites,CN=Configuration,DC=customer DomainNamingMasterRole owner: CN=NTDS Settings,CN=GC,CN=Servers,CN=Servicebureau,CN=Sites,CN=Configuration,DC=customer DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=AD-zoetermeer,CN=Servers,CN=Zoetermeer,CN=Sites,CN=Configuration,DC=customer ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=AD-zoetermeer,CN=Servers,CN=Zoetermeer,CN=Sites,CN=Configuration,DC=customer root@gc:~# samba-tool fsmo transfer --role=all -U domadm This DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC already has the 'naming' FSMO role This DC already has the 'infrastructure' FSMO role This DC already has the 'schema' FSMO role lpcfg_load: refreshing parameters from /etc/samba/smb.conf Password for [CUSTOMER\domadm]: ERROR: Failed to delete role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching attribute value while deleting attribute on 'CN=Infrastructure,DC=DomainDnsZones,DC=customer'> <> root@gc:~# samba -V Version 4.5.8-Debian The domadm user is the original Administrator account we always immediately rename after a deployment. I've changed the domain name to customer for our customers discretion. I've checked to values myself in the database but everything seems to be just fine there, meaning the fSMORoleOwner is correct in the database. samba-tool dbcheck doesn't find any issues regarding this. Please help since the server currently holding this role has to be decommissioned soon. At the other customer site the server will stay. Regards, Peter Gerritsen
Does anyone have a suggestion on this matter? Thanks, Peter
It works with recent version of Samba if you specify a user samba-tool fsmo transfer --role=all -U Administrator However it still fails if no user is mentionned
(In reply to Denis Cardon from comment #2) It has always worked liked that, if you are transferring or seizing either the domaindns or forestdns role you must provide an administrator password.
(In reply to Rowland Penny from comment #3) We can call this fixed then? It could have been this: commit 7583377473ecd3d096c4f924e61a04a84be32a96 Author: Rowland Penny <rpenny@samba.org> Date: Thu Mar 31 12:07:00 2016 +0100 samba-too: Allow 'samba-tool fsmo' to cope with empty or missing fsmo roles samba-too: Allow 'samba-tool fsmo' to cope with empty or missing fsmo roles Signed-off-by: Rowland Penny <rpenny@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> or changes for one of these: https://bugzilla.samba.org/show_bug.cgi?id=13973 https://bugzilla.samba.org/show_bug.cgi?id=14876
(In reply to Douglas Bagnall from comment #4) Transferring the two dns roles works differently to the other five, I tried to get it to work without authentication, but couldn't, perhaps you could do better ? What could possibly be better is the help message, I wanted to list the roles line by line, but wasn't allowed to. Because of the way the help is formatted, it is easy to miss that authentication is required for transferring/seizing the dns roles.
"It has always worked liked that, if you are transferring or seizing either the domaindns or forestdns role you must provide an administrator password." @rpenny: it is still not working without adding auth. Which is what I was wanting to point out... If your patch is not complete (ie not working without auth), command line help should say that it does not work if no auth is provided. @dbagnall: I don't think we can say it is fixed due to the above mentioned improper behavior
(In reply to Denis Cardon from comment #6) It cannot transfer/seize the dns FSMO roles without authentication and the 'help' output does tell you this, just not in the way I wanted it to: samba-tool fsmo transfer --help ........ --role=ROLE The FSMO role to seize or transfer. rid=RidAllocationMasterRole schema=SchemaMasterRole pdc=PdcEmulationMasterRole naming=DomainNamingMasterRole infrastructure=InfrastructureMasterRole domaindns=DomainDnsZonesMasterRole forestdns=ForestDnsZonesMasterRole all=all of the above You must provide an Admin user and password. ............. Note the last line. If you can come up with a better way of doing it, without auth, then be my guest.