Set "ldap server require strong auth = no " on your NEW DC.
Remove the line from the old dc, that one does not know about it.
Restart samba on the new DC.
And try again : samba-tool domain demote -Uadministrator
When done, remove the line you added on the new dc.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marcio Demetrio Bacci via samba
> Verzonden: woensdag 24 mei 2017 16:41
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba4 LDAP Error
>
> Hi,
>
> I want demote my DC (old) with Samba 4.2.1, but the following message
> appear:
>
> root at dc-old:~# samba-tool domain demote -Uadministrator Using
> dc1.empresa.com.br as partner server for the demotion
> Password for [EMPRESA\administrator]:
> Deactivating inbound replication
> Asking partner server dc1.empresa.com.br to synchronize from
> us Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -
> <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <> Failed to
> connect to 'ldap://dc1.empresa.com.br' with backend 'ldap':
> (null) Error while demoting, re-enabling inbound replication
> ERROR(ldb): Error while changing account control - None
>
> Then I have tried to use the parameter "ldap server require
> strong auth" in my smb.conf as the following:
>
> # Global parameters
> [global]
> workgroup = EMPRESA
> realm = EMPRESA.COM.BR
> netbios name = DC3
> server role = active directory domain controller
> dns forwarder = 192.168.0.36
> idmap_ldb:use rfc2307 = yes
> ldap server require strong auth = no [netlogon]
> path = /opt/samba/var/locks/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /opt/samba/var/locks/sysvol
> read only = No
> acl_xattr:ignore system acls = yes
>
>
>
> When I reboot the Samba4 the below message appears:
>
> [ ok ] Stopping Samba 4 daemon: samba.
> [....] Starting Samba 4 daemon: sambaUnknown parameter
> encountered: "ldap server require strong auth"
> Ignoring unknown parameter "ldap server require strong auth"
>
>
> My new DC is Samba 4.6.3
> My Old DC is Samba 4.2.1
>
>
> Can anybody help me ?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>