Bug 13484 - Demote DC fails to remove an old Windows AD DC
Summary: Demote DC fails to remove an old Windows AD DC
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.8.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-26 05:14 UTC by Tim Beale
Modified: 2019-06-11 23:08 UTC (History)
0 users

See Also:


Attachments
Fix for problem (1.35 KB, text/plain)
2018-06-26 05:28 UTC, Tim Beale
no flags Details
Cherry-pick of patch for v4.8 branch (1.54 KB, text/plain)
2018-09-14 02:51 UTC, Tim Beale
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Beale 2018-06-26 05:14:05 UTC
'samba-tool domain demote --remove-other-dead-server' fails to remove an old Windows AD DC:

  File "bin/python/samba/remove_dc.py", line 445, in remove_dc
    remove_dns_account=True)
  File "bin/python/samba/remove_dc.py", line 368, in offline_remove_ntds_dc
    remove_dns_account=remove_dns_account)
  File "bin/python/samba/remove_dc.py", line 245, in offline_remove_server
    samdb.delete(server_dn)
LdbError: (66, 'subtree_delete: Unable to delete a non-leaf node (it has 1 children)!')
A transaction is still active in ldb context [0x22f4690] on /home/timbeale/code/samba/backup_temp_dir/private/sam.ldb
ERROR(ldb): uncaught exception - subtree_delete: Unable to delete a non-leaf node (it has 1 children)!
  File "bin/python/samba/netcmd/__init__.py", line 177, in _run
    return self.run(*args, **kwargs)
  File "bin/python/samba/netcmd/domain_backup.py", line 55, in inner
    raise e

The problem happens trying to delete the old server object, i.e.
CN=<WINDOWS-DC>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,<DOMAIN>

The problem is that Windows has an extra 'DNS Settings' child object underneath the server object, whereas samba doesn't. i.e.
CN=DNS Settings,CN=<WINDOWS-DC>,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,<DOMAIN>

Reported on mailing list here:
https://lists.samba.org/archive/samba/2018-June/216572.html

Problem also found while testing the backup/restore tool.
Comment 1 Tim Beale 2018-06-26 05:28:21 UTC
Created attachment 14259 [details]
Fix for problem
Comment 2 Tim Beale 2018-09-14 02:51:45 UTC
Created attachment 14488 [details]
Cherry-pick of patch for v4.8 branch
Comment 3 Tim Beale 2019-06-11 23:08:11 UTC
Closing bug as it's fixed on v4.9 onwards, and v4.8 is now security-fixes-only.