samba - Jun 2010 - Samba 4 Cleanup Managing and Otherwise

OK, there has got to be a way to work with this thing other than 
wiping the Domain every time an error pops up.

Trying to resolve problems I did a git upgrade and:

setup# /usr/local/samba/sbin/upgradeprovision

Which provided the unhelpful:

Found 3 domain controllers, for the moment upgradeprovision is not 
able to handle upgrade on domain with more than one DC, please demote 
the other(s) DC(s) before upgrading

As I am actually trying to clean up an orphaned DC due to the fact 
that dcpromo fails to remove AD from a windows server I am in even 
worse shape than before the git upgrade.

As I don't have unlimited funds, and the M$ software is outrageously 
expensive, I can't keep blowing Windows servers out and reprovisioning 
them.

Any ideas would be greatly appreciated here.

Cheers,

On 17 June 2010 04:49,  <tms3 at tms3.com> wrote:
> OK, there has got to be a way to work with this thing other than wiping the
> Domain every time an error pops up.
>
> Trying to resolve problems I did a git upgrade and:
>
> setup# /usr/local/samba/sbin/upgradeprovision
>
> Which provided the unhelpful:
>
> Found 3 domain controllers, for the moment upgradeprovision is not able to
> handle upgrade on domain with more than one DC, please demote the other(s)
> DC(s) before upgrading
>
> As I am actually trying to clean up an orphaned DC due to the fact that
> dcpromo fails to remove AD from a windows server I am in even worse shape
> than before the git upgrade.
>
> As I don't have unlimited funds, and the M$ software is outrageously
> expensive, I can't keep blowing Windows servers out and reprovisioning
them.
>
> Any ideas would be greatly appreciated here.
Maybe running ldapcmp against the samba box and the Windows box will
tell you something.  Also, maybe what you could do is get an LDIF
export of the directory, then add another Samba box to the domain and
get another LDIF export and compare them to see what was added.  Then
you should be able to know exactly what needs to be deleted again
afterwards.

I haven't had a chance to try the above yet, though.

P.S.  I know the upgradeprovision script is being worked on at the
moment, so this might all be fixed soon, but maybe you should mention
it on the samba-technical list.

-- 
Michael Wood <esiotrot at gmail.com>

>
> --- Original message ---
> Subject: Re: [Samba] Samba 4 Cleanup Managing and Otherwise
> From: Michael Wood <esiotrot at gmail.com>
> To: <tms3 at tms3.com>
> Cc: <samba at lists.samba.org>
> Date: Friday, 18/06/2010  5:34 AM
>
> On 17 June 2010 04:49,  <tms3 at tms3.com> wrote:
>>
>> OK, there has got to be a way to work with this thing other than 
>> wiping the
>> Domain every time an error pops up.
>>
>> Trying to resolve problems I did a git upgrade and:
>>
>> setup# /usr/local/samba/sbin/upgradeprovision
>>
>> Which provided the unhelpful:
>>
>> Found 3 domain controllers, for the moment upgradeprovision is not 
>> able to
>> handle upgrade on domain with more than one DC, please demote the 
>> other(s)
>> DC(s) before upgrading
>>
>> As I am actually trying to clean up an orphaned DC due to the fact 
>> that
>> dcpromo fails to remove AD from a windows server I am in even worse 
>> shape
>> than before the git upgrade.
>>
>> As I don't have unlimited funds, and the M$ software is
outrageously
>> expensive, I can't keep blowing Windows servers out and
reprovisioning
>> them.
>>
>> Any ideas would be greatly appreciated here.
>
> Maybe running ldapcmp against the samba box and the Windows box will
> tell you something.  Also, maybe what you could do is get an LDIF
> export of the directory, then add another Samba box to the domain and
> get another LDIF export and compare them to see what was added.  Then
> you should be able to know exactly what needs to be deleted again
> afterwards.
Interestingly, after I wrote the above, I accessed the W2K3R2 DC and 
was able to use "sites and services" to delete the NTDS settings under
the still listed orphaned DC, then go about manually deleting it from 
the rep lists for each server, then actually delete the server itself 
from the list, which is better than I was able to do.  It is now gone 
and Samba4 is no longer calling for it.

However, I am in a quandry over this mess now:

Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 - 
NT_STATUS_INVALID_PARAMETER
[Fri Jun 18 06:05:05 2010 PDT, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()]
dreplsrv_notify: Failed to send DsReplicaSync to 
58bfc826-cd9f-445d-b6e5-ab7314ba0671._msdcs.tms3.com for 
CN=Schema,CN=Configuration,DC=tms3,DC=com - 
NT_STATUS_INVALID_PARAMETER : WERR_INVALID_PARAM
[Fri Jun 18 06:05:05 2010 PDT, 0 
../librpc/rpc/dcerpc_util.c:657:dcerpc_pipe_auth_recv()]
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 - 
NT_STATUS_INVALID_PARAMETER
[Fri Jun 18 06:05:05 2010 PDT, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()]
dreplsrv_notify: Failed to send DsReplicaSync to 
af29c79c-57dc-40f3-bed1-95c3adda4cc8._msdcs.tms3.com for 
CN=Schema,CN=Configuration,DC=tms3,DC=com - 
NT_STATUS_INVALID_PARAMETER : WERR_INVALID_PARAM
[Fri Jun 18 06:05:05 2010 PDT, 0 
../librpc/rpc/dcerpc_util.c:657:dcerpc_pipe_auth_recv()]
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 - 
NT_STATUS_INVALID_PARAMETER
[Fri Jun 18 06:05:05 2010 PDT, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()]
dreplsrv_notify: Failed to send DsReplicaSync to 
58bfc826-cd9f-445d-b6e5-ab7314ba0671._msdcs.tms3.com for 
CN=Configuration,DC=tms3,DC=com - NT_STATUS_INVALID_PARAMETER : 
WERR_INVALID_PARAM
[Fri Jun 18 06:05:05 2010 PDT, 0 
../librpc/rpc/dcerpc_util.c:657:dcerpc_pipe_auth_recv()]
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 - 
NT_STATUS_INVALID_PARAMETER
[Fri Jun 18 06:05:05 2010 PDT, 0 
../dsdb/repl/drepl_notify.c:207:dreplsrv_notify_op_callback()]
dreplsrv_notify: Failed to send DsReplicaSync to 
af29c79c-57dc-40f3-bed1-95c3adda4cc8._msdcs.tms3.com for 
CN=Configuration,DC=tms3,DC=com - NT_STATUS_INVALID_PARAMETER : 
WERR_INVALID_PARAM

It has been suggested that it is a kerberos problem, but I'm stymied 
as to WHAT the problem is:

root at T3:/usr/local/samba/var# kinit administrator at TMS3.COM
administrator at TMS3.COM's Password:
root at T3:/usr/local/samba/var# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator at TMS3.COM

  Issued           Expires          Principal
Jun 18 06:05:36  Jun 18 16:05:36  krbtgt/TMS3.COM at TMS3.COM
root at T3:/usr/local/samba/var#

Anywho, enough poking around for now.

Cheers,

TMS III

>
>
> I haven't had a chance to try the above yet, though.
>
> P.S.  I know the upgradeprovision script is being worked on at the
> moment, so this might all be fixed soon, but maybe you should mention
> it on the samba-technical list.
>
> --
> Michael Wood <esiotrot at gmail.com>