Taylor Hammerling
2017-Dec-12 17:56 UTC
[Samba] Errors transferring forestdns and domaindns FSMO roles
I am attempting to transfer the all FSMO roles from an old DC to our new DC. Both DCs are running Samba 4.7.3. I have transferred the Schma, Infrastructure, RID, PDC and Naming roles without issue. unfortunately, the forestdns and domaindns roles are giving me grief. Here is the output of the commands root at dc1:~# samba-tool fsmo transfer --role=forestdns ldb_wrap open of secrets.ldb lpcfg_load: refreshing parameters from /etc/samba/smb.conf resolve_lmhosts: Attempting lmhosts lookup for name 7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20> GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered ERROR: Failed to delete role 'forestdns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object CN=Infrastructure,DC=ForestDnsZones,DC=tcsbasys,DC=com has no write property access> <>File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 111, in transfer_dns_role samdb.modify(m) root at dc1:~# root at dc1:~# samba-tool fsmo transfer --role=domaindns ldb_wrap open of secrets.ldb lpcfg_load: refreshing parameters from /etc/samba/smb.conf resolve_lmhosts: Attempting lmhosts lookup for name 7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20> GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered ERROR: Failed to delete role 'domaindns': LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object CN=Infrastructure,DC=DomainDnsZones,DC=tcsbasys,DC=com has no write property access> <>File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 111, in transfer_dns_role samdb.modify(m) root at dc1:~# as always, any help you can provide would be immensely appreciated! -- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com
Rowland Penny
2017-Dec-12 18:08 UTC
[Samba] Errors transferring forestdns and domaindns FSMO roles
On Tue, 12 Dec 2017 11:56:08 -0600 Taylor Hammerling via samba <samba at lists.samba.org> wrote:> I am attempting to transfer the all FSMO roles from an old DC to our > new DC. Both DCs are running Samba 4.7.3. I have transferred the > Schma, Infrastructure, RID, PDC and Naming roles without issue. > > unfortunately, the forestdns and domaindns roles are giving me grief. > > Here is the output of the commands > > root at dc1:~# samba-tool fsmo transfer --role=forestdns > ldb_wrap open of secrets.ldb > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > resolve_lmhosts: Attempting lmhosts lookup for name > 7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20> > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > ERROR: Failed to delete role 'forestdns': LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > CN=Infrastructure,DC=ForestDnsZones,DC=tcsbasys,DC=com has no write > property access > > <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 111, in transfer_dns_role > samdb.modify(m) > root at dc1:~# > > > root at dc1:~# samba-tool fsmo transfer --role=domaindns > ldb_wrap open of secrets.ldb > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > resolve_lmhosts: Attempting lmhosts lookup for name > 7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20> > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > ERROR: Failed to delete role 'domaindns': LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > CN=Infrastructure,DC=DomainDnsZones,DC=tcsbasys,DC=com has no write > property access > > <> > File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > 111, in transfer_dns_role > samdb.modify(m) > root at dc1:~# > > > as always, any help you can provide would be immensely appreciated! > > > >If you run 'samba-tool fsmo transfer --help', you will find this amongst the output: --role=ROLE The FSMO role to seize or transfer. rid=RidAllocationMasterRole schema=SchemaMasterRole pdc=PdcEmulationMasterRole naming=DomainNamingMasterRole infrastructure=InfrastructureMasterRole domaindns=DomainDnsZonesMasterRole forestdns=ForestDnsZonesMasterRole all=all of the above You must provide an Admin user and password. Does the last line give you a hint ;-) Rowland
Taylor Hammerling
2017-Dec-12 18:19 UTC
[Samba] Errors transferring forestdns and domaindns FSMO roles
Thanks Rowland, I figured it out just before you sent this email thanks to this old mailing list entry https://lists.samba.org/archive/samba/2017-January/206177.html the role transfer still throws an error (just as the person in the january entry saw) but the role got transferred. On Tue, Dec 12, 2017 at 12:08 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 12 Dec 2017 11:56:08 -0600 > Taylor Hammerling via samba <samba at lists.samba.org> wrote: > > > I am attempting to transfer the all FSMO roles from an old DC to our > > new DC. Both DCs are running Samba 4.7.3. I have transferred the > > Schma, Infrastructure, RID, PDC and Naming roles without issue. > > > > unfortunately, the forestdns and domaindns roles are giving me grief. > > > > Here is the output of the commands > > > > root at dc1:~# samba-tool fsmo transfer --role=forestdns > > ldb_wrap open of secrets.ldb > > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > > resolve_lmhosts: Attempting lmhosts lookup for name > > 7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20> > > GENSEC backend 'gssapi_spnego' registered > > GENSEC backend 'gssapi_krb5' registered > > GENSEC backend 'gssapi_krb5_sasl' registered > > GENSEC backend 'spnego' registered > > GENSEC backend 'schannel' registered > > GENSEC backend 'naclrpc_as_system' registered > > GENSEC backend 'sasl-EXTERNAL' registered > > GENSEC backend 'ntlmssp' registered > > GENSEC backend 'ntlmssp_resume_ccache' registered > > GENSEC backend 'http_basic' registered > > GENSEC backend 'http_ntlm' registered > > GENSEC backend 'krb5' registered > > GENSEC backend 'fake_gssapi_krb5' registered > > ERROR: Failed to delete role 'forestdns': LDAP error 50 > > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > > CN=Infrastructure,DC=ForestDnsZones,DC=tcsbasys,DC=com has no write > > property access > > > <> > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > > 111, in transfer_dns_role > > samdb.modify(m) > > root at dc1:~# > > > > > > root at dc1:~# samba-tool fsmo transfer --role=domaindns > > ldb_wrap open of secrets.ldb > > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > > resolve_lmhosts: Attempting lmhosts lookup for name > > 7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20> > > GENSEC backend 'gssapi_spnego' registered > > GENSEC backend 'gssapi_krb5' registered > > GENSEC backend 'gssapi_krb5_sasl' registered > > GENSEC backend 'spnego' registered > > GENSEC backend 'schannel' registered > > GENSEC backend 'naclrpc_as_system' registered > > GENSEC backend 'sasl-EXTERNAL' registered > > GENSEC backend 'ntlmssp' registered > > GENSEC backend 'ntlmssp_resume_ccache' registered > > GENSEC backend 'http_basic' registered > > GENSEC backend 'http_ntlm' registered > > GENSEC backend 'krb5' registered > > GENSEC backend 'fake_gssapi_krb5' registered > > ERROR: Failed to delete role 'domaindns': LDAP error 50 > > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > > CN=Infrastructure,DC=DomainDnsZones,DC=tcsbasys,DC=com has no write > > property access > > > <> > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > > 111, in transfer_dns_role > > samdb.modify(m) > > root at dc1:~# > > > > > > as always, any help you can provide would be immensely appreciated! > > > > > > > > > > If you run 'samba-tool fsmo transfer --help', you will find this > amongst the output: > > --role=ROLE The FSMO role to seize or transfer. > rid=RidAllocationMasterRole > schema=SchemaMasterRole > pdc=PdcEmulationMasterRole > naming=DomainNamingMasterRole > infrastructure=InfrastructureMasterRole > domaindns=DomainDnsZonesMasterRole > forestdns=ForestDnsZonesMasterRole all=all of the > above You must provide an Admin user and password. > > Does the last line give you a hint ;-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com
L.P.H. van Belle
2017-Dec-13 07:45 UTC
[Samba] Errors transferring forestdns and domaindns FSMO roles
Hai, can you post the exact error again, or is is really exact like the January link. drs_utils.py on debian should be these. /usr/lib/python2.7/dist-packages/samba/drs_utils.py /usr/lib/python2.7/dist-packages/samba/drs_utils.pyc And now i see whats the differrence here. Rowland showd in january. /usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py /usr/lib/ python2.7/dist-packages/samba/drs_utils.py I see ... dist-packages And site-packages Rowland can you verify this again, so we can find where in this command: samba-tool fsmo transfer --role=domaindns The wrong path is used. Greetz, Louis Ps. @Taylor, and thanks for the nice comments.. ;-)> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Taylor Hammerling via samba > Verzonden: dinsdag 12 december 2017 19:20 > Aan: Rowland Penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Errors transferring forestdns and > domaindns FSMO roles > > Thanks Rowland, I figured it out just before you sent this > email thanks to > this old mailing list entry > > https://lists.samba.org/archive/samba/2017-January/206177.html > > the role transfer still throws an error (just as the person > in the january > entry saw) but the role got transferred. > > On Tue, Dec 12, 2017 at 12:08 PM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Tue, 12 Dec 2017 11:56:08 -0600 > > Taylor Hammerling via samba <samba at lists.samba.org> wrote: > > > > > I am attempting to transfer the all FSMO roles from an > old DC to our > > > new DC. Both DCs are running Samba 4.7.3. I have transferred the > > > Schma, Infrastructure, RID, PDC and Naming roles without issue. > > > > > > unfortunately, the forestdns and domaindns roles are > giving me grief. > > > > > > Here is the output of the commands > > > > > > root at dc1:~# samba-tool fsmo transfer --role=forestdns > > > ldb_wrap open of secrets.ldb > > > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > > > resolve_lmhosts: Attempting lmhosts lookup for name > > > 7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20> > > > GENSEC backend 'gssapi_spnego' registered > > > GENSEC backend 'gssapi_krb5' registered > > > GENSEC backend 'gssapi_krb5_sasl' registered > > > GENSEC backend 'spnego' registered > > > GENSEC backend 'schannel' registered > > > GENSEC backend 'naclrpc_as_system' registered > > > GENSEC backend 'sasl-EXTERNAL' registered > > > GENSEC backend 'ntlmssp' registered > > > GENSEC backend 'ntlmssp_resume_ccache' registered > > > GENSEC backend 'http_basic' registered > > > GENSEC backend 'http_ntlm' registered > > > GENSEC backend 'krb5' registered > > > GENSEC backend 'fake_gssapi_krb5' registered > > > ERROR: Failed to delete role 'forestdns': LDAP error 50 > > > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > > > CN=Infrastructure,DC=ForestDnsZones,DC=tcsbasys,DC=com > has no write > > > property access > > > > <> > > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > > > 111, in transfer_dns_role > > > samdb.modify(m) > > > root at dc1:~# > > > > > > > > > root at dc1:~# samba-tool fsmo transfer --role=domaindns > > > ldb_wrap open of secrets.ldb > > > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > > > resolve_lmhosts: Attempting lmhosts lookup for name > > > 7da1efbb-3b68-4249-ab03-e09c3ffc0d1a._msdcs.tcsbasys.com<0x20> > > > GENSEC backend 'gssapi_spnego' registered > > > GENSEC backend 'gssapi_krb5' registered > > > GENSEC backend 'gssapi_krb5_sasl' registered > > > GENSEC backend 'spnego' registered > > > GENSEC backend 'schannel' registered > > > GENSEC backend 'naclrpc_as_system' registered > > > GENSEC backend 'sasl-EXTERNAL' registered > > > GENSEC backend 'ntlmssp' registered > > > GENSEC backend 'ntlmssp_resume_ccache' registered > > > GENSEC backend 'http_basic' registered > > > GENSEC backend 'http_ntlm' registered > > > GENSEC backend 'krb5' registered > > > GENSEC backend 'fake_gssapi_krb5' registered > > > ERROR: Failed to delete role 'domaindns': LDAP error 50 > > > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > > > CN=Infrastructure,DC=DomainDnsZones,DC=tcsbasys,DC=com > has no write > > > property access > > > > <> > > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line > > > 111, in transfer_dns_role > > > samdb.modify(m) > > > root at dc1:~# > > > > > > > > > as always, any help you can provide would be immensely > appreciated! > > > > > > > > > > > > > > > > If you run 'samba-tool fsmo transfer --help', you will find this > > amongst the output: > > > > --role=ROLE The FSMO role to seize or transfer. > > rid=RidAllocationMasterRole > > schema=SchemaMasterRole > > pdc=PdcEmulationMasterRole > > naming=DomainNamingMasterRole > > infrastructure=InfrastructureMasterRole > > domaindns=DomainDnsZonesMasterRole > > forestdns=ForestDnsZonesMasterRole > all=all of the > > above You must provide an Admin > user and password. > > > > Does the last line give you a hint ;-) > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > *Taylor Hammerling* | *IT Manager* > 2800 Laura Lane | Middleton, WI 53562 > *O *(608) 669-9070 *| C *(608) 512-7849 > tcsbasys.com | ubiquistat.com > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >