thr3ads.net - samba - [Samba] [samba] 4.4.0rc2 demote and --remove-other-dead-server [Feb 2016]

If this information is useful, please help other people find it:
Share via:
mathias dufresne
2016-Feb-10 16:35 UTC
[Samba] [samba] 4.4.0rc2 demote and --remove-other-dead-server

Hi all,

We were trying the new --remove-other-dead-server coming with the 4.4.0rc.
The domain is a brand new one with several DC added and two Windows
clients, no user yet.

Here is the smb.conf:
[global]
        workgroup = SAMBA
        realm = SAMBADOMAIN.TLD
        netbios name = DC200
        server role = active directory domain controller

        server services = -dns
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/samba.domain.tld/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

This smb.conf is the same on al DC, modulo "netbios name" of course.

When trying to demote some dead DC, it always ends like that one:

dc200:~# samba-tool domain demote --verbose --remove-other-dead-server=dc201

Removing nTDSConnection: CN=54e7a869-12c4-45e2-91e5-8ef015a3dec2,CN=NTDS
Settings,CN=DC200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
Removing nTDSConnection: CN=26405655-8fcb-4156-ba5a-8e0b7a60e8ab,CN=NTDS
Settings,CN=DC202,CN=Servers,CN=Authentification,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
Removing nTDSConnection: CN=39270189-99f8-4640-b209-f1d421fb6661,CN=NTDS
Settings,CN=DC203,CN=Servers,CN=Authentification,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
Removing nTDSDSA: CN=NTDS
Settings,CN=DC201,CN=Servers,CN=Authentification,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld
(and any children)
Removing RID Set: CN=RID Set,CN=DC201,OU=Domain
Controllers,DC=samba,DC=domain,DC=tld
Removing computer account: CN=DC201,OU=Domain
Controllers,DC=samba,DC=domain,DC=tld (and any child objects)
Removing Samba-specific DNS service account:
CN=dns-DC201,CN=Users,DC=samba,DC=domain,DC=tld
checking for DNS records to remove on samba.domain.tld
updating samba.domain.tld keeping 5 values, removing 1 values
checking for DNS records to remove on DomainDnsZones.samba.domain.tld
updating DomainDnsZones.samba.domain.tld keeping 3 values, removing 1 values
checking for DNS records to remove on ForestDnsZones.samba.domain.tld
updating ForestDnsZones.samba.domain.tld keeping 3 values, removing 1 values
checking
DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
updating
DC=_ldap._tcp.Authentification._sites.DomainDnsZones,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 2 values, removing 1 values
updating
DC=_ldap._tcp.Authentification._sites.ForestDnsZones,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 2 values, removing 1 values
updating
DC=_kerberos._tcp.Authentification._sites,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 2 values, removing 1 values
updating
DC=_ldap._tcp.Authentification._sites,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 2 values, removing 1 values
updating
DC=_gc._tcp.Authentification._sites,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 2 values, removing 1 values
updating
DC=_ldap._tcp.DomainDnsZones,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 3 values, removing 1 values
updating
DC=_ldap._tcp.ForestDnsZones,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld
keeping 3 values, removing 1 values
ERROR(<type 'exceptions.TypeError'>): uncaught exception -
__ndr_unpack__()
argument 1 must be string or read-only buffer, not dnsp.DnssrvRpcRecord
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line
720, in run
    remove_dc.remove_dc(samdb, logger, remove_other_dead_server)
  File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line
423,
in remove_dc
    remove_dns_account=True)
  File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line
351,
in offline_remove_ntds_dc
    remove_dns_account=remove_dns_account)
  File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line
266,
in offline_remove_server
    remove_dns_references(samdb, logger, dnsHostName)
  File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line
186,
in remove_dns_references
    for v in values if not to_remove(v) ]
  File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line
160,
in to_remove
    dnsRecord = ndr_unpack(dnsp.DnssrvRpcRecord, value)
  File "/usr/lib64/python2.7/site-packages/samba/ndr.py", line 45, in
ndr_unpack
    object.__ndr_unpack__(data, allow_remaining=allow_remaining)
A transaction is still active in ldb context [0x17a4800] on
tdb:///var/lib/samba/private/sam.ldb

It seems a function is missing to extract encoded value of DNS record
before to use ndr_unpack() or __ndr_unpack()

Anyway, it smells good. I'm eager to be able to use that as when we tried
to restore Samba AD database all went well... but almost all went wrong
when we had to re-join all others DC. I would be able to re-test
restoration of Samba AD database after we used "samba-tool domain demote
--verbose --remove-other-dead-server=" to clean up database from old
references to DC.

Best regards,

mathias
Seemingly Similar Threads

Search for more possibly parallel threads
samba - Feb 2016 - 4.4.0rc2 demote and --remove-other-dead-server

[Samba] [samba] 4.4.0rc2 demote and --remove-other-dead-server

Seemingly Similar Threads

Wisdom of the Ancients
