Bug 13501 - Unable to demote an empty RODC
Summary: Unable to demote an empty RODC
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.7.4
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-02 11:48 UTC by Jean-Sébastien Bevilacqua
Modified: 2023-04-20 13:35 UTC (History)
2 users (show)

See Also:


Attachments
Patch (666 bytes, patch)
2018-07-04 12:01 UTC, Jean-Sébastien Bevilacqua
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-Sébastien Bevilacqua 2018-07-02 11:48:15 UTC
Hello,

I encountered a bug when demoting a RODC.

Step to reproduce:

1 - Set a DC and a RODC without preloading user
2 - Execute the command

samba-tool domain demote --remove-other-dead-server=<your rodc>

3 - You will get this stacktrace

Removing nTDSDSA: CN=NTDS Settings,CN=RODC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br (and any children)
Removing RODC KDC account: CN=krbtgt_23517,CN=Users,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br
Removing computer account: CN=RODC,OU=Domain Controllers,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br (and any child objects)
ERROR(ldb): uncaught exception - replmd_delete: Failed to modify object CN=RODC,OU=Domain Controllers,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br in delete - attribute 'msDS-RevealedUsers': no such attribute for delete on 'CN=RODC\0ADEL:7eb2a2b1-ca6e-4744-9889-3cf7ea860a9e,CN=Deleted Objects,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br'
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 777, in run
    remove_dc.remove_dc(samdb, logger, remove_other_dead_server)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/remove_dc.py", line 423, in remove_dc
    remove_dns_account=True)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/remove_dc.py", line 351, in offline_remove_ntds_dc
    remove_dns_account=remove_dns_account)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/remove_dc.py", line 251, in offline_remove_server
    samdb.delete(computer_dn, ["tree_delete:0"])
A transaction is still active in ldb context [0x25930a0] on tdb:///usr/local/samba/private/sam.ldb

If I preload an account on the RODC (samba-tool rodc preload test.rodc --server=pdc-ad1), this error disappears.


The problem seems to come from the msDS-RevealedUsers and looks like this issue: https://bugzilla.samba.org/show_bug.cgi?id=11139

I tried with samba 4.7.4.
Comment 1 Jean-Sébastien Bevilacqua 2018-07-04 12:01:14 UTC
Created attachment 14277 [details]
Patch
Comment 2 Jean-Sébastien Bevilacqua 2018-07-04 12:01:40 UTC
I found a way to make it works with my patch.

Result:

root@debian7:/home/linagora# samba-tool domain demote --remove-other-dead-server=rodc
Removing nTDSDSA: CN=NTDS Settings,CN=RODC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br (and any children)
Removing RODC KDC account: CN=krbtgt_23517,CN=Users,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br
Removing computer account: CN=RODC,OU=Domain Controllers,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br (and any child objects)
updating ForestDnsZones.poa.msdcbrz.eall.com.br keeping 1 values, removing 1 values
updating DomainDnsZones.poa.msdcbrz.eall.com.br keeping 1 values, removing 1 values
updating poa.msdcbrz.eall.com.br keeping 3 values, removing 1 values
updating DC=d571d9b6-64db-4fe1-9fc6-c5690ddff513,DC=_msdcs.poa.msdcbrz.eall.com.br,CN=MicrosoftDNS,DC=ForestDnsZones,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br keeping 0 values, removing 1 values
Removing Sysvol reference: CN=RODC,CN=Enterprise,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br
Removing Sysvol reference: CN=RODC,CN=poa.msdcbrz.eall.com.br,CN=Microsoft System Volumes,CN=System,CN=Configuration,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br
Removing Sysvol reference: CN=RODC,CN=Domain System Volumes (SYSVOL share),CN=File Replication Service,CN=System,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br
Removing Sysvol reference: CN=RODC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=poa,DC=msdcbrz,DC=eall,DC=com,DC=br
Comment 3 Andrew Bartlett 2018-07-04 20:00:23 UTC
(In reply to Jean-Sébastien Bevilacqua from comment #2)
I'm sorry, but I don't think that patch is correct.

You just ignore the error, which would leave the object in place.

The fix will need to be in the C code, sorry.
Comment 4 Jean-Sébastien Bevilacqua 2018-07-05 07:11:22 UTC
Hello Andrew,

Indeed, it's more a hack than a real patch.
The C code part is not so easy to work with!