thr3ads.net - samba - [Samba] LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer [Jan 2017]

If this information is useful, please help other people find it:
Share via:

Adam Tauno Williams

2017-Jan-27 19:47 UTC

[Samba] LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer

Attempting to move FSMO roles from one SerNET Samba 4.5.4 DC to  
another, all roles transfered except the DNS related ones - those fail  
with an LDAP_INSUFFICIENT_ACCESS_RIGHTS

[root at larkin28 ~]# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
InfrastructureMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
RidAllocationMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
PdcEmulationMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
DomainNamingMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
DomainDnsZonesMasterRole owner: CN=NTDS  
Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
ForestDnsZonesMasterRole owner: CN=NTDS  
Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
[root at larkin28 ~]# samba-tool fsmo transfer --role=domaindns
ERROR: Failed to delete role 'domaindns': LDAP error 50  
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object  
CN=Infrastructure,DC=DomainDnsZones,DC=micore,DC=us has no write  
property access> <>[root at larkin28 ~]# samba-tool fsmo transfer --role=forestdns
ERROR: Failed to delete role 'forestdns': LDAP error 50  
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object  
CN=Infrastructure,DC=ForestDnsZones,DC=micore,DC=us has no write  
property access> <>

Carlos A. P. Cunha

2017-Jan-27 19:53 UTC

head link

[Samba] LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer

Hello

To transfer the files referring to dns use -U <Domain Administrator>

example:

samba-tool fsmo transfer --role=forestdns -U administrator

regards

Em 27-01-2017 17:47, Adam Tauno Williams via samba
escreveu:> Attempting to move FSMO roles from one SerNET Samba 4.5.4 DC to 
> another, all roles transfered except the DNS related ones - those fail 
> with an LDAP_INSUFFICIENT_ACCESS_RIGHTS
>
> [root at larkin28 ~]# samba-tool fsmo show
> SchemaMasterRole owner: CN=NTDS 
>
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
> InfrastructureMasterRole owner: CN=NTDS 
>
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
> RidAllocationMasterRole owner: CN=NTDS 
>
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
> PdcEmulationMasterRole owner: CN=NTDS 
>
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
> DomainNamingMasterRole owner: CN=NTDS 
>
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
> DomainDnsZonesMasterRole owner: CN=NTDS 
>
Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
> ForestDnsZonesMasterRole owner: CN=NTDS 
>
Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
> [root at larkin28 ~]# samba-tool fsmo transfer --role=domaindns
> ERROR: Failed to delete role 'domaindns': LDAP error 50 
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object 
> CN=Infrastructure,DC=DomainDnsZones,DC=micore,DC=us has no write 
> property access
>> <>
> [root at larkin28 ~]# samba-tool fsmo transfer --role=forestdns
> ERROR: Failed to delete role 'forestdns': LDAP error 50 
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object 
> CN=Infrastructure,DC=ForestDnsZones,DC=micore,DC=us has no write 
> property access
>> <>
>
>
>
>

Adam Tauno Williams

2017-Jan-27 19:58 UTC

head link

[Samba] LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer

Quoting Adam Tauno Williams via samba <samba at
lists.samba.org>:> Attempting to move FSMO roles from one SerNET Samba 4.5.4 DC to  
> another, all roles transfered except the DNS related ones - those  
> fail with an LDAP_INSUFFICIENT_ACCESS_RIGHTS
> [root at larkin28 ~]# samba-tool fsmo transfer --role=forestdns
> ERROR: Failed to delete role 'forestdns': LDAP error 50  
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object  
> CN=Infrastructure,DC=ForestDnsZones,DC=micore,DC=us has no write  
> property access
>> <>
Provding credentials appears to have worked... although it still ends  
in an error.

[root at larkin28 ~]# samba-tool fsmo transfer --role=domaindns  
--username=Administrator --password=************
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -  
'module' object has no attribute 'drs_utils'
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",  
line 520, in run
     transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",  
line 129, in transfer_dns_role
     except samba.drs_utils.drsException, e:


[root at larkin28 ~]# samba-tool fsmo transfer --role=forestdns  
--username=Administrator --password=***********
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -  
'module' object has no attribute 'drs_utils'
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",  
line 520, in run
     transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",  
line 129, in transfer_dns_role
     except samba.drs_utils.drsException, e:

[root at larkin28 ~]# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
InfrastructureMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
RidAllocationMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
PdcEmulationMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
DomainNamingMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
DomainDnsZonesMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us
ForestDnsZonesMasterRole owner: CN=NTDS  
Settings,CN=LARKIN28,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=micore,DC=us

Doing the show on other DCs it does appear that they all agree the  
role transfer occurred.

Rowland Penny

2017-Jan-27 20:44 UTC

head link

[Samba] LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer

On Fri, 27 Jan 2017 14:58:46 -0500
Adam Tauno Williams via samba <samba at lists.samba.org> wrote:
> Quoting Adam Tauno Williams via samba <samba at lists.samba.org>:
> > Attempting to move FSMO roles from one SerNET Samba 4.5.4 DC to  
> > another, all roles transfered except the DNS related ones - those  
> > fail with an LDAP_INSUFFICIENT_ACCESS_RIGHTS
> > [root at larkin28 ~]# samba-tool fsmo transfer --role=forestdns
> > ERROR: Failed to delete role 'forestdns': LDAP error 50  
> > LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object  
> > CN=Infrastructure,DC=ForestDnsZones,DC=micore,DC=us has no write  
> > property access
> >> <>
> 
> Provding credentials appears to have worked... although it still
> ends in an error.
> 
> [root at larkin28 ~]# samba-tool fsmo transfer --role=domaindns  
> --username=Administrator --password=************
> ERROR(<type 'exceptions.AttributeError'>): uncaught exception
-
> 'module' object has no attribute 'drs_utils'
>    File
> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line
> 176, in _run return self.run(*args, **kwargs)
>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",
> line 520, in run
>      transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",
> line 129, in transfer_dns_role
>      except samba.drs_utils.drsException, e:
> 
> 
> [root at larkin28 ~]# samba-tool fsmo transfer --role=forestdns  
> --username=Administrator --password=***********
> ERROR(<type 'exceptions.AttributeError'>): uncaught exception
-
> 'module' object has no attribute 'drs_utils'
>    File
> "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line
> 176, in _run return self.run(*args, **kwargs)
>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",
> line 520, in run
>      transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
>    File
"/usr/lib64/python2.6/site-packages/samba/netcmd/fsmo.py",
> line 129, in transfer_dns_role
>      except samba.drs_utils.drsException, e:
> 
Transferring the FSMO roles is done very similarly to the way windows
does it, except for the DNS roles which are done by deleting the role
from the old owner, adding it the new owner and then forcing
replication. It seems it is the last part of this that is failing,
this is because it claims it cannot find 'drs_utils.py', this should
be in python{VERSION}/site-packages/samba/
i.e. on my self compiled Samba:
 /usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py

Rowland

Seemingly Similar Threads

Search for more apparently analagous threads

samba - Jan 2017 - LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer

[Samba] LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer

[Samba] LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer

[Samba] LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer

[Samba] LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer

Seemingly Similar Threads