mathias dufresne
2016-Feb-10 16:35 UTC
[Samba] [samba] 4.4.0rc2 demote and --remove-other-dead-server
Hi all, We were trying the new --remove-other-dead-server coming with the 4.4.0rc. The domain is a brand new one with several DC added and two Windows clients, no user yet. Here is the smb.conf: [global] workgroup = SAMBA realm = SAMBADOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/samba.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No This smb.conf is the same on al DC, modulo "netbios name" of course. When trying to demote some dead DC, it always ends like that one: dc200:~# samba-tool domain demote --verbose --remove-other-dead-server=dc201 Removing nTDSConnection: CN=54e7a869-12c4-45e2-91e5-8ef015a3dec2,CN=NTDS Settings,CN=DC200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld Removing nTDSConnection: CN=26405655-8fcb-4156-ba5a-8e0b7a60e8ab,CN=NTDS Settings,CN=DC202,CN=Servers,CN=Authentification,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld Removing nTDSConnection: CN=39270189-99f8-4640-b209-f1d421fb6661,CN=NTDS Settings,CN=DC203,CN=Servers,CN=Authentification,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld Removing nTDSDSA: CN=NTDS Settings,CN=DC201,CN=Servers,CN=Authentification,CN=Sites,CN=Configuration,DC=samba,DC=domain,DC=tld (and any children) Removing RID Set: CN=RID Set,CN=DC201,OU=Domain Controllers,DC=samba,DC=domain,DC=tld Removing computer account: CN=DC201,OU=Domain Controllers,DC=samba,DC=domain,DC=tld (and any child objects) Removing Samba-specific DNS service account: CN=dns-DC201,CN=Users,DC=samba,DC=domain,DC=tld checking for DNS records to remove on samba.domain.tld updating samba.domain.tld keeping 5 values, removing 1 values checking for DNS records to remove on DomainDnsZones.samba.domain.tld updating DomainDnsZones.samba.domain.tld keeping 3 values, removing 1 values checking for DNS records to remove on ForestDnsZones.samba.domain.tld updating ForestDnsZones.samba.domain.tld keeping 3 values, removing 1 values checking DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld updating DC=_ldap._tcp.Authentification._sites.DomainDnsZones,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld keeping 2 values, removing 1 values updating DC=_ldap._tcp.Authentification._sites.ForestDnsZones,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld keeping 2 values, removing 1 values updating DC=_kerberos._tcp.Authentification._sites,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld keeping 2 values, removing 1 values updating DC=_ldap._tcp.Authentification._sites,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld keeping 2 values, removing 1 values updating DC=_gc._tcp.Authentification._sites,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld keeping 2 values, removing 1 values updating DC=_ldap._tcp.DomainDnsZones,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld keeping 3 values, removing 1 values updating DC=_ldap._tcp.ForestDnsZones,DC=samba.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samba,DC=domain,DC=tld keeping 3 values, removing 1 values ERROR(<type 'exceptions.TypeError'>): uncaught exception - __ndr_unpack__() argument 1 must be string or read-only buffer, not dnsp.DnssrvRpcRecord File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 720, in run remove_dc.remove_dc(samdb, logger, remove_other_dead_server) File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 423, in remove_dc remove_dns_account=True) File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 351, in offline_remove_ntds_dc remove_dns_account=remove_dns_account) File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 266, in offline_remove_server remove_dns_references(samdb, logger, dnsHostName) File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 186, in remove_dns_references for v in values if not to_remove(v) ] File "/usr/lib64/python2.7/site-packages/samba/remove_dc.py", line 160, in to_remove dnsRecord = ndr_unpack(dnsp.DnssrvRpcRecord, value) File "/usr/lib64/python2.7/site-packages/samba/ndr.py", line 45, in ndr_unpack object.__ndr_unpack__(data, allow_remaining=allow_remaining) A transaction is still active in ldb context [0x17a4800] on tdb:///var/lib/samba/private/sam.ldb It seems a function is missing to extract encoded value of DNS record before to use ndr_unpack() or __ndr_unpack() Anyway, it smells good. I'm eager to be able to use that as when we tried to restore Samba AD database all went well... but almost all went wrong when we had to re-join all others DC. I would be able to re-test restoration of Samba AD database after we used "samba-tool domain demote --verbose --remove-other-dead-server=" to clean up database from old references to DC. Best regards, mathias