thr3ads.net - samba - [Samba] problems with sysvol after fsmo transfer [Jan 2023]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2023-Jan-11 19:27 UTC

[Samba] problems with sysvol aft

On 11/01/2023 18:56, Thorsten Marquardt via samba wrote:> 
> Am 11.01.23 um 16:24 schrieb Rowland Penny via samba:
>> Yes and it shows what I started with, you have two SRV records for the
>> PDC_Emulator, delete the old one.
>>
>> Rowland
> 
> I did and stopped samba on the old server. But my problem remains. I to 
> can not connect to \\my.local.dom\sysvol. 
If I try that I get:

Not enough '\' characters in service

Doubling the '\' works as does using '/'

But I get prompted for my password

Putting it another way, I cannot really get it to not work.
Note that I am doing this on Linux using smbclient.

After a while? a get a dialog> to enter username and password to access the share. Whereas connecting to
> \\srv-kb-dc1\sysvol makes no problem. Could my problem somehow be 
> kerberos related?
Could be but I doubt it.
When I try it (again on Linux), it doesn't work and using my ticket 
cache using smbclient with --use-krb5-ccache=CCACHE , I found out why:

gensec_spnego_client_negTokenInit_step: gse_krb5: creating 
NEG_TOKEN_INIT for cifs/samdom.example.com failed (next[(null)]): 
NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER

I don't have the 'cifs' SPN

So, tried this:

sudo smbclient \\\\samdom.example.com\\sysvol -P

And got this:

Try "help" to get a list of possible commands.
smb: \>

My computer does have the 'cifs' SPN

Rowland

Thorsten Marquardt

2023-Jan-12 10:53 UTC

head link

[Samba] problems with sysvol after fsmo transfer

Thank you so far. But unfortunately I could not fix the problems. So I 
decided to start over again at a situation where all the fsmo roles 
resides on the old controller.

Here is a transcript of what I did and the errors reported:

The inititial position

srv-kb-dc1:~ # samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...

srv-kb-dc1:~ # nslookup -querytype=srv _ldap._tcp.pdc._msdcs.my.local.dom
Server:???????? 192.168.1.243
Address:??????? 192.168.1.243#53

_ldap._tcp.pdc._msdcs.my.local.dom? service = 0 100 389 
srv-kb-primdc.my.local.dom.


Attempt no. 1

srv-kb-dc1:~ # samba-tool fsmo transfer --role=all -k yes -Uadministrator

FSMO transfer of 'rid' role successful
ERROR: Transfer of 'pdc' role failed: Failed FSMO transfer: 
NT_STATUS_IO_TIMEOUT

srv-kb-dc1:~ # nslookup -querytype=srv _ldap._tcp.pdc._msdcs.my.local.dom
Server:???????? 192.168.1.243
Address:??????? 192.168.1.243#53

_ldap._tcp.pdc._msdcs.my.local.dom? service = 0 100 389 
srv-kb-primdc.my.local.dom.

srv-kb-dc1:~ # samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...

Although I get the timeout error the pdc role appears to have been 
transferred.

So I tried again

Attempt no. 2

srv-kb-dc1:~ # samba-tool fsmo transfer --role=all -k yes -Uadministrator
This DC already has the 'rid' FSMO role
This DC already has the 'pdc' FSMO role
FSMO transfer of 'naming' role successful
ERROR: Transfer of 'infrastructure' role failed: Failed FSMO transfer: 
NT_STATUS_IO_TIMEOUT

srv-kb-dc1:~ # nslookup -querytype=srv _ldap._tcp.pdc._msdcs.my.local.dom
Server:???????? 192.168.1.243
Address:??????? 192.168.1.243#53

_ldap._tcp.pdc._msdcs.my.local.dom? service = 0 100 389 
srv-kb-primdc.my.local.dom.
_ldap._tcp.pdc._msdcs.my.local.dom? service = 0 100 389 
srv-kb-dc1.my.local.dom.

srv-kb-dc1:~ # samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...

This time I get a second entry for _ldap._tcp.pdc._msdcs.my.local.dom 
and again despite of the timeout the role seams to have been transferred.

The next attempt:

srv-kb-dc1:~ # samba-tool fsmo transfer --role=all -k yes -Uadministrator
This DC already has the 'rid' FSMO role
This DC already has the 'pdc' FSMO role
This DC already has the 'naming' FSMO role
This DC already has the 'infrastructure' FSMO role
FSMO transfer of 'schema' role successful
Password for [KOBRA\administrator]:
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
'module'
object has no attribute 'drs_utils'
 ? File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
 ??? return self.run(*args, **kwargs)
 ? File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py",
line
515, in run
 ??? "domaindns", samdb)
 ? File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py",
line
129, in transfer_dns_role
 ??? except samba.drs_utils.drsException, e:

srv-kb-dc1:~ # samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...



After this run only the ForestDnsZonesMasterRole stays on the old server

The final attempt

srv-kb-dc1:~ # samba-tool fsmo transfer --role=all -k yes -Uadministrator
This DC already has the 'rid' FSMO role
This DC already has the 'pdc' FSMO role
This DC already has the 'naming' FSMO role
This DC already has the 'infrastructure' FSMO role
This DC already has the 'schema' FSMO role
This DC already has the 'domaindns' FSMO role
Password for [KOBRA\administrator]:
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
'module'
object has no attribute 'drs_utils'
 ? File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
 ??? return self.run(*args, **kwargs)
 ? File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py",
line
517, in run
 ??? samdb)
 ? File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py",
line
129, in transfer_dns_role
 ??? except samba.drs_utils.drsException, e:
srv-kb-dc1:~ # samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=SRV-KB-DC1,CN=Servers,CN=Default-Fi...

Seemingly all looks fine now but obviously it isn't. Perhaps I should 
have stumbled over the timeouts I got.


I don't wont to run a

samba-tool fsmo seize

bevor I have a running environment with the new domain controller doing 
its job.

Maybe Matching Threads

Search for more maybe matching threads

samba - Jan 2023 - problems with sysvol after fsmo transfer

[Samba] problems with sysvol aft

[Samba] problems with sysvol after fsmo transfer

Maybe Matching Threads