Recently tried transferring roles from Samba 4.3.11 to Samba 4.7.0. Ultimately, both dcs agreed that the 4.7.0 dc (dc3) had all the roles and replication and the databases were in good shape. However, during the process, I got a lot of errors that seemed to magically disappear. Should I be worried? root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com root at dc3:~# samba-tool fsmo s^C root at dc3:~# samba-tool fsmo transfer --role all FSMO transfer of 'rid' role successful ERROR: Transfer of 'pdc' role failed: Failed FSMO transfer: NT_STATUS_IO_TIMEOUT root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com root at dc3:~# samba-tool fsmo transfer --role all This DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO role FSMO transfer of 'naming' role successful ERROR: Transfer of 'infrastructure' role failed: Failed FSMO transfer: NT_STATUS_IO_TIMEOUT root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com root at dc3:~# samba-tool fsmo transfer --role all This DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC already has the 'naming' FSMO role This DC already has the 'infrastructure' FSMO role FSMO transfer of 'schema' role successful ERROR: Failed to delete role 'domaindns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com has no write property access> <>root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com root at dc3:~# samba-tool fsmo transfer --role all This DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC already has the 'naming' FSMO role This DC already has the 'infrastructure' FSMO role This DC already has the 'schema' FSMO role ERROR: Failed to delete role 'domaindns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com has no write property access> <>root at dc3:~# samba-tool fsmo transfer --role all -UAdministrator This DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC already has the 'naming' FSMO role This DC already has the 'infrastructure' FSMO role This DC already has the 'schema' FSMO role Password for [Example\Administrator]: ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils' File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 515, in run "domaindns", samdb) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 129, in transfer_dns_role except samba.drs_utils.drsException, e: root at dc3:~# samba-tool fsmo transfer --role all -UAdministrator This DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC already has the 'naming' FSMO role This DC already has the 'infrastructure' FSMO role This DC already has the 'schema' FSMO role Password for [Example\Administrator]: ERROR: Failed to delete role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching attribute value while deleting attribute on 'CN=Infrastructure,DC=DomainDnsZones ,DC=example,DC=com'> <> root at dc3:~# samba-tool fsmo transfer --role all -UAdministrator This DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC already has the 'naming' FSMO role This DC already has the 'infrastructure' FSMO role This DC already has the 'schema' FSMO role Password for [Example\Administrator]: ERROR: Failed to delete role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching attribute value while deleting attribute on 'CN=Infrastructure,DC=DomainDnsZones ,DC=example,DC=com'> <> root at dc3:~# samba-tool fsmo transfer --role all -UAdministrator This DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC already has the 'naming' FSMO role This DC already has the 'infrastructure' FSMO role This DC already has the 'schema' FSMO role Password for [Example\Administrator]: ERROR: Failed to delete role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching attribute value while deleting attribute on 'CN=Infrastructure,DC=DomainDnsZones ,DC=example,DC=com'> <> root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com root at dc3:~# samba-tool fsmo transfer --role domaindns ERROR: Failed to delete role 'domaindns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com has no write property access> <>root at dc3:~# samba-tool fsmo transfer --role domaindns -UAdministrator This DC already has the 'domaindns' FSMO role root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com root at dc3:~# samba-tool fsmo transfer --role forestdns ERROR: Failed to delete role 'forestdns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com has no write property access> <>root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator Password for [Example\Administrator]: ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils' File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 520, in run transfer_dns_role(self.outf, sambaopts, credopts, role, samdb) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 129, in transfer_dns_role except samba.drs_utils.drsException, e: root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator Password for [Example\Administrator]: ERROR: Failed to delete role 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching attribute value while deleting attribute on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <> root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator Password for [Example\Administrator]: ERROR: Failed to delete role 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching attribute value while deleting attribute on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <> root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator Password for [Example\Administrator]: ERROR: Failed to delete role 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching attribute value while deleting attribute on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <> root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator Password for [Example\Administrator]: ERROR: Failed to delete role 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute 'fSMORoleOwner': no matching attribute value while deleting attribute on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <> root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator This DC already has the 'forestdns' FSMO role root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com Thanks, Mike Ray
Rowland Penny
2017-Oct-05 19:55 UTC
[Samba] Magically disappearing errors during FSMO transfer
On Thu, 5 Oct 2017 14:14:56 -0500 (CDT) Mike Ray via samba <samba at lists.samba.org> wrote:> Recently tried transferring roles from Samba 4.3.11 to Samba 4.7.0. > Ultimately, both dcs agreed that the 4.7.0 dc (dc3) had all the roles > and replication and the databases were in good shape. However, during > the process, I got a lot of errors that seemed to magically > disappear. > > Should I be worried? > > root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > root at dc3:~# samba-tool fsmo s^C > root at dc3:~# samba-tool fsmo transfer --role all > FSMO transfer of 'rid' role successful ERROR: Transfer of 'pdc' role > failed: Failed FSMO transfer: NT_STATUS_IO_TIMEOUT > root at dc3:~# samba-tool fsmo show > SchemaMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > root at dc3:~# samba-tool fsmo transfer --role all This DC already has > the 'rid' FSMO role This DC already has the 'pdc' FSMO role FSMO > transfer of 'naming' role successful ERROR: Transfer of > 'infrastructure' role failed: Failed FSMO transfer: > NT_STATUS_IO_TIMEOUT root at dc3:~# samba-tool fsmo show SchemaMasterRole > owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > root at dc3:~# samba-tool fsmo transfer --role all This DC already has > the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC > already has the 'naming' FSMO role This DC already has the > 'infrastructure' FSMO role FSMO transfer of 'schema' role successful > ERROR: Failed to delete role 'domaindns': LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com has no write > property access > > <> > root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > root at dc3:~# samba-tool fsmo transfer --role all This DC already has > the 'rid' FSMO role This DC already has the 'pdc' FSMO role This DC > already has the 'naming' FSMO role This DC already has the > 'infrastructure' FSMO role This DC already has the 'schema' FSMO role > ERROR: Failed to delete role 'domaindns': LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com has no write > property access > > <> > root at dc3:~# samba-tool fsmo transfer --role all -UAdministrator This > DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO > role This DC already has the 'naming' FSMO role This DC already has > the 'infrastructure' FSMO role This DC already has the 'schema' FSMO > role Password for [Example\Administrator]: ERROR(<type > 'exceptions.AttributeError'>): uncaught exception - 'module' object > has no attribute 'drs_utils' File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run return self.run(*args, **kwargs) File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 515, in > run "domaindns", samdb) File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 129, in > transfer_dns_role except samba.drs_utils.drsException, e: root at dc3:~# > samba-tool fsmo transfer --role all -UAdministrator This DC already > has the 'rid' FSMO role This DC already has the 'pdc' FSMO role This > DC already has the 'naming' FSMO role This DC already has the > 'infrastructure' FSMO role This DC already has the 'schema' FSMO role > Password for [Example\Administrator]: ERROR: Failed to delete role > 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute > 'fSMORoleOwner': no matching attribute value while deleting attribute > on 'CN=Infrastructure,DC=DomainDnsZones ,DC=example,DC=com'> <> > root at dc3:~# samba-tool fsmo transfer --role all -UAdministrator This > DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO > role This DC already has the 'naming' FSMO role This DC already has > the 'infrastructure' FSMO role This DC already has the 'schema' FSMO > role Password for [Example\Administrator]: ERROR: Failed to delete > role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute > 'fSMORoleOwner': no matching attribute value while deleting attribute > on 'CN=Infrastructure,DC=DomainDnsZones ,DC=example,DC=com'> <> > root at dc3:~# samba-tool fsmo transfer --role all -UAdministrator This > DC already has the 'rid' FSMO role This DC already has the 'pdc' FSMO > role This DC already has the 'naming' FSMO role This DC already has > the 'infrastructure' FSMO role This DC already has the 'schema' FSMO > role Password for [Example\Administrator]: ERROR: Failed to delete > role 'domaindns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute > 'fSMORoleOwner': no matching attribute value while deleting attribute > on 'CN=Infrastructure,DC=DomainDnsZones ,DC=example,DC=com'> <> > root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > root at dc3:~# samba-tool fsmo transfer --role domaindns ERROR: Failed > to delete role 'domaindns': LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=com has no write > property access > > <> > root at dc3:~# samba-tool fsmo transfer --role domaindns -UAdministrator > This DC already has the 'domaindns' FSMO role > root at dc3:~# samba-tool fsmo show > SchemaMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > root at dc3:~# samba-tool fsmo transfer --role forestdns ERROR: Failed > to delete role 'forestdns': LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com has no write > property access > > <> > root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator > Password for [Example\Administrator]: ERROR(<type > 'exceptions.AttributeError'>): uncaught exception - 'module' object > has no attribute 'drs_utils' File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run return self.run(*args, **kwargs) File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 520, in > run transfer_dns_role(self.outf, sambaopts, credopts, role, samdb) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 129, in transfer_dns_role except samba.drs_utils.drsException, e: > root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator > Password for [Example\Administrator]: ERROR: Failed to delete role > 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute > 'fSMORoleOwner': no matching attribute value while deleting attribute > on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <> > root at dc3:~# samba-tool fsmo transfer --role forestdns > -UAdministrator Password for [Example\Administrator]: ERROR: Failed > to delete role 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - > <attribute 'fSMORoleOwner': no matching attribute value while > deleting attribute on > 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <> > root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator > Password for [Example\Administrator]: ERROR: Failed to delete role > 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute > 'fSMORoleOwner': no matching attribute value while deleting attribute > on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <> > root at dc3:~# samba-tool fsmo show SchemaMasterRole owner: > CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator > Password for [Example\Administrator]: ERROR: Failed to delete role > 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute > 'fSMORoleOwner': no matching attribute value while deleting attribute > on 'CN=Infrastructure,DC=ForestDnsZones ,DC=example,DC=com'> <> > root at dc3:~# samba-tool fsmo transfer --role forestdns > -UAdministrator This DC already has the 'forestdns' FSMO role > root at dc3:~# > samba-tool fsmo show SchemaMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > > Thanks, > > Mike Ray >The problem is that you need to Authenticate to transfer the domaindns and forestdns FSMO roles, this means you also need to authenticate if you transfer 'all' the FSMO roles. If 'samba-tool fsmo show is now displaying the correct owners and everything is working correctly, you are probably going to be okay. I will look into refusing to do anything if 'all' or 'domaindns' or 'forestdns' roles are selected without using authentication. Rowland
----- On Oct 5, 2017, at 2:55 PM, samba samba at lists.samba.org wrote:> The problem is that you need to Authenticate to transfer the domaindns > and forestdns FSMO roles, this means you also need to authenticate if > you transfer 'all' the FSMO roles. > > If 'samba-tool fsmo show is now displaying the correct owners and > everything is working correctly, you are probably going to be okay. > > I will look into refusing to do anything if 'all' or 'domaindns' or > 'forestdns' roles are selected without using authentication. > > RowlandSorry about the message, I did not split it well. I've included some of the last lines below in a more readable format:> root at dc3:~# samba-tool fsmo transfer --role forestdns -UAdministrator > Password for [Example\Administrator]: > ERROR: Failed to delete role> 'forestdns': LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <attribute> 'fSMORoleOwner': no matching attribute value while deleting attribute on 'CN=Infrastructure,DC=ForestDnsZones,DC=example,DC=com'> <> > root at dc3:~# samba-tool fsmo transfer --role forestdns> -UAdministrator > This DC already has the 'forestdns' FSMO roleI did do some authenticating, but still saw some errors. Any explanation for this? Also, do you have any insight into the "Failed FSMO transfer: NT_STATUS_IO_TIMEOUT" errors? These popped up on like the "pdc" role, so authentication shouldn't have been an issue here.