Hi, I'm trying demote my old DC, but the following message appear: root at dc-old:~# samba-tool domain demote -Uadministrator Using dc1.empresa.com.br as partner server for the demotion Password for [EMPRESA\administrator]: Deactivating inbound replication Asking partner server dc1.empresa.com.br to synchronize from us Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <> Failed to connect to 'ldap://dc1.empresa.com.br' with backend 'ldap': (null) Error while demoting, re-enabling inbound replication ERROR(ldb): Error while changing account control - None I have already transferred all the roles to new DC: samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=empresa,DC=com,DC=br DC1 is the my new DC. Can anybody help me? Regards, Márcio Bacci
On Mon, 22 May 2017 19:37:58 -0300 Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:> Hi, > > I'm trying demote my old DC, but the following message appear: > > root at dc-old:~# samba-tool domain demote -Uadministrator > Using dc1.empresa.com.br as partner server for the demotion > Password for [EMPRESA\administrator]: > Deactivating inbound replication > Asking partner server dc1.empresa.com.br to synchronize from us > Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - > <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <> > Failed to connect to 'ldap://dc1.empresa.com.br' with backend 'ldap': > (null) Error while demoting, re-enabling inbound replication > ERROR(ldb): Error while changing account control - None >try adding 'ldap server require strong auth = no' to the smb.conf on the DC you are trying to demote. Rowland
Hi,
The DC that I want demote is Samba 4.2.1 and it doesn't know the parameter
"ldap server require strong auth".
Following my smb.conf
# Global parameters
[global]
workgroup = EMPRESA
realm = EMPRESA.COM.BR
netbios name = DC3
server role = active directory domain controller
dns forwarder = 192.168.0.36
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = no
[netlogon]
path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
read only = No
[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
When I reboot the Samba4 the below message appears:
[ ok ] Stopping Samba 4 daemon: samba.
[....] Starting Samba 4 daemon: sambaUnknown parameter encountered: "ldap
server require strong auth"
Ignoring unknown parameter "ldap server require strong auth"
My new DC is Samba 4.6.3
My Old DC is Samba 4.2.1
Regards,
Márcio Bacci
2017-05-23 3:00 GMT-03:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Mon, 22 May 2017 19:37:58 -0300
> Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:
>
> > Hi,
> >
> > I'm trying demote my old DC, but the following message appear:
> >
> > root at dc-old:~# samba-tool domain demote -Uadministrator
> > Using dc1.empresa.com.br as partner server for the demotion
> > Password for [EMPRESA\administrator]:
> > Deactivating inbound replication
> > Asking partner server dc1.empresa.com.br to synchronize from us
> > Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -
> > <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
> > Failed to connect to 'ldap://dc1.empresa.com.br' with backend
'ldap':
> > (null) Error while demoting, re-enabling inbound replication
> > ERROR(ldb): Error while changing account control - None
> >
>
> try adding 'ldap server require strong auth = no' to the smb.conf
on
> the DC you are trying to demote.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>