Hello,
I transfered all fsmo-roles from a DC (4.3.11-SerNet, SLES 11 SP3) to another DC
(4.6.6-SerNet, SLES 12 SP2).
I had to try a couple of times because of an error "Failed FSMO transfer:
NT_STATUS_IO_TIMEOUT"
But then following error happened:
samba-tool fsmo transfer --role=all
This DC already has the 'rid' FSMO role
This DC already has the 'pdc' FSMO role
This DC already has the 'naming' FSMO role
This DC already has the 'infrastructure' FSMO role
FSMO transfer of 'schema' role successful
ERROR: Failed to delete role 'domaindns': LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object
CN=Infrastructure,DC=DomainDnsZones,DC=domain,DC=university,DC=de has no write
property access
OK, "LDAP_INSUFFICIENT_ACCESS_RIGHTS", another try with credentials:
samba-tool fsmo transfer --role=all -Uadministrator
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
'module' object has no attribute 'drs_utils'
File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py",
line 515, in run
"domaindns", samdb)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py",
line 129, in transfer_dns_role
except samba.drs_utils.drsException, e
Same error occurred with the role "forestdns".
In spite of the errors the roles were transfered.
Can I ignore this error or went something wrong ?
"samba-tool fsmo show" says, the owner of all roles is the new DC.
Also with the following check for all roles everything is ok.
ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b
"CN=Infrastructure,DC=domain,DC=university,DC=de" -s base
fsmoroleowner
The only thing I saw - there is an DNS-entry
"Forward-Lookupzones->domain->_msdcs.domain->pdc->_tcp".
Sounds like an entry for the PDC, and there is still the DC which owned the
roles.
Do I have to change this manually ?
In a next step I will demote (and reinstall) the DC which owned the roles, maybe
this solves any inconsistencies, in case there are some.
Regards
Hi, I faced the same problem, solved it by adding the line import samba.drs_utils to the file fsmo.py. When building samba yourself, from withtin the base directory you can apply this patch file to do it for you: --- python/samba/netcmd/fsmo.py.old 2016-12-05 08:18:44.000000000 +0000 +++ python/samba/netcmd/fsmo.py 2017-03-11 10:27:31.453884091 +0000 @@ -20,6 +20,7 @@ import samba import samba.getopt as options import ldb +import samba.drs_utils from ldb import LdbError from samba.dcerpc import drsuapi, misc from samba.auth import system_session regards, Norbert On 04.08.2017 21:20, gizmo via samba wrote:> Hello, > I transfered all fsmo-roles from a DC (4.3.11-SerNet, SLES 11 SP3) to another DC (4.6.6-SerNet, SLES 12 SP2). > I had to try a couple of times because of an error "Failed FSMO transfer: NT_STATUS_IO_TIMEOUT" > But then following error happened: > > samba-tool fsmo transfer --role=all > > This DC already has the 'rid' FSMO role > This DC already has the 'pdc' FSMO role > This DC already has the 'naming' FSMO role > This DC already has the 'infrastructure' FSMO role > FSMO transfer of 'schema' role successful > ERROR: Failed to delete role 'domaindns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > CN=Infrastructure,DC=DomainDnsZones,DC=domain,DC=university,DC=de has no write property access > > > OK, "LDAP_INSUFFICIENT_ACCESS_RIGHTS", another try with credentials: > > > samba-tool fsmo transfer --role=all -Uadministrator > > ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils' > File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 515, in run > "domaindns", samdb) > File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py", line 129, in transfer_dns_role > except samba.drs_utils.drsException, e > > > Same error occurred with the role "forestdns". > In spite of the errors the roles were transfered. > > Can I ignore this error or went something wrong ? > "samba-tool fsmo show" says, the owner of all roles is the new DC. > > Also with the following check for all roles everything is ok. > ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -b "CN=Infrastructure,DC=domain,DC=university,DC=de" -s base fsmoroleowner > > The only thing I saw - there is an DNS-entry "Forward-Lookupzones->domain->_msdcs.domain->pdc->_tcp". > Sounds like an entry for the PDC, and there is still the DC which owned the roles. > Do I have to change this manually ? > > In a next step I will demote (and reinstall) the DC which owned the roles, maybe this solves any inconsistencies, in case there are some. > > Regards >
> I faced the same problem, solved it by adding the line > import samba.drs_utils > to the file fsmo.py. > > When building samba yourself, from withtin the base directory you can > apply this patch file to do it for you:Thank you Nobert. Indeed the line "import samba.drs_utils" is missing, although I'm using the repositories from Sernet. According to "samba-tool fsmo show", the roles were in spite of the error successfully transfered. Was the transfer completed or can it be there is something missing ? What about the DNS-entry "_msdcs->pdc->_tcp" ? Isn't it an entry for the PDC ? Because after I transfered the roles, this DNS-entry didnt change, I changed manually. Regards