Hello, I encountered a bug when demoting a RODC. Step to reproduce: 1 - Set a DC and a RODC without preloading user 2 - Execute the command samba-tool domain demote --remove-other-dead-server=<your rodc> 3 - You will get this stacktrace Removing nTDSDSA: CN=NTDS Settings,CN=RODC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br (and any children) Removing RODC KDC account: CN=krbtgt_23517,CN=Users,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br Removing computer account: CN=RODC,OU=Domain Controllers,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br (and any child objects) ERROR(ldb): uncaught exception - replmd_delete: Failed to modify object CN=RODC,OU=Domain Controllers,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br in delete - attribute 'msDS-RevealedUsers': no such attribute for delete on 'CN=RODC\0ADEL:7eb2a2b1-ca6e-4744-9889-3cf7ea860a9e,CN=Deleted Objects,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br' File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 777, in run remove_dc.remove_dc(samdb, logger, remove_other_dead_server) File "/usr/local/samba/lib/python2.7/site-packages/samba/remove_dc.py", line 423, in remove_dc remove_dns_account=True) File "/usr/local/samba/lib/python2.7/site-packages/samba/remove_dc.py", line 351, in offline_remove_ntds_dc remove_dns_account=remove_dns_account) File "/usr/local/samba/lib/python2.7/site-packages/samba/remove_dc.py", line 251, in offline_remove_server samdb.delete(computer_dn, ["tree_delete:0"]) A transaction is still active in ldb context [0x25930a0] on tdb:///usr/local/samba/private/sam.ldb If I preload an account on the RODC (samba-tool rodc preload test.rodc --server=pdc-ad1), this error disappears. The problem seems to come from the msDS-RevealedUsers and looks like this issue: https://bugzilla.samba.org/show_bug.cgi?id=11139 I tried with samba 4.7.4.
Created attachment 14277 [details] Patch
I found a way to make it works with my patch. Result: root@debian7:/home/linagora# samba-tool domain demote --remove-other-dead-server=rodc Removing nTDSDSA: CN=NTDS Settings,CN=RODC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br (and any children) Removing RODC KDC account: CN=krbtgt_23517,CN=Users,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br Removing computer account: CN=RODC,OU=Domain Controllers,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br (and any child objects) updating ForestDnsZones.poa.msdcbrz.eall.com.br keeping 1 values, removing 1 values updating DomainDnsZones.poa.msdcbrz.eall.com.br keeping 1 values, removing 1 values updating poa.msdcbrz.eall.com.br keeping 3 values, removing 1 values updating DC=d571d9b6-64db-4fe1-9fc6-c5690ddff513,DC=_msdcs.poa.msdcbrz.eall.com.br,CN=MicrosoftDNS,DC=ForestDnsZones,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br keeping 0 values, removing 1 values Removing Sysvol reference: CN=RODC,CN=Enterprise,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br Removing Sysvol reference: CN=RODC,CN=poa.msdcbrz.eall.com.br,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br Removing Sysvol reference: CN=RODC,CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br Removing Sysvol reference: CN=RODC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br
(In reply to Jean-Sébastien Bevilacqua from comment #2) I'm sorry, but I don't think that patch is correct. You just ignore the error, which would leave the object in place. The fix will need to be in the C code, sorry.
Hello Andrew, Indeed, it's more a hack than a real patch. The C code part is not so easy to work with!