thr3ads.net - samba - [Samba] messy replication [Jul 2019]

If this information is useful, please help other people find it:
Share via:

Adam Weremczuk

2019-Jul-17 15:05 UTC

[Samba] messy replication

On 16/07/19 15:38, Rowland penny via samba wrote:
>
> You (because of your Samba version) can only demote the DC on the DC 
> itself, so just follow the info at the top of the page. 
Hello again,

I'm trying to follow instructions for demoting: 
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC

I don't think I need to transfer FSMO roles since both controllers own them:

dc1:/# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
SchemaMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk

dc2:/# samba-tool fsmo show
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
ldb_wrap open of secrets.ldb
SchemaMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
InfrastructureMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
RidAllocationMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
PdcEmulationMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
DomainNamingMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
DomainDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk
ForestDnsZonesMasterRole owner: CN=NTDS 
Settings,CN=dc1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=co,DC=uk

Demoting attempt fails as below:

root at dc2 /# samba-tool domain demote -UAdministrator
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 
netmask=255.255.252.0
added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 
netmask=255.255.252.0
Using dc1.example.co.uk as partner server for the demotion
Using binding ncacn_ip_tcp:dc1.example.co.uk[,seal]
Mapped to DCERPC endpoint 135
added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 
netmask=255.255.252.0
added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 
netmask=255.255.252.0
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.example.co.uk<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No 
such file or directory
Mapped to DCERPC endpoint 1024
added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 
netmask=255.255.252.0
added interface eth0 ip=192.168.8.125 bcast=192.168.11.255 
netmask=255.255.252.0
resolve_lmhosts: Attempting lmhosts lookup for name
dc1.example.co.uk<0x20>
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No 
such file or directory
Password for [EXAMPLE\Administrator]:
Received smb_krb5 packet of length 281
Received smb_krb5 packet of length 181
Deactivating inbound replication
Asking partner server dc1.example.co.uk to synchronize from us
Error while replicating out last local changes from 
'CN=Schema,CN=Configuration,DC=example,DC=co,DC=uk' for demotion, 
re-enabling inbound replication
ERROR(<class 'samba.WERRORError'>): Error while sending a
DsReplicaSync
for partition 'CN=Schema,CN=Configuration,DC=example,DC=co,DC=uk' - (87,
'WERR_INVALID_PARAM')
 ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
line
787, in run
 ??? drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)

It looks like dc2 fails to sync data to dc1 because replication is 
broken but I don't care about any data currently on dc2.

I just need to cut the ties safely i.e. dc1 should remain operational.

Make dc1 aware it's now on its own and obliterate dc2.

What's the best way to "force" demotion in this case?

Thanks,
Adam

Rowland penny

2019-Jul-17 15:22 UTC

head link

[Samba] messy replication

On 17/07/2019 16:05, Adam Weremczuk via samba wrote:> Hello again,
>
> I'm trying to follow instructions for demoting: 
> https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
>
> I don't think I need to transfer FSMO roles since both controllers own 
> them:Oh dear, you do have a borked AD, only one DC can hold an FSMO role at a 
time.>
> It looks like dc2 fails to sync data to dc1 because replication is 
> broken but I don't care about any data currently on dc2.
>
> I just need to cut the ties safely i.e. dc1 should remain operational.
>
> Make dc1 aware it's now on its own and obliterate dc2.
>
> What's the best way to "force" demotion in this case?
>I don't think there is a 'best way'. This used to come up fairly
often
in the early days of Samba AD, I think all you can do is to search in 
sam.ldb and remove any mention of the old DC, but DO NOT alter the files 
under sam.ldb.d, reading this might help:

https://lists.samba.org/archive/samba/2014-February/178947.html

Rowland

Adam Weremczuk

2019-Jul-18 10:18 UTC

head link

[Samba] messy replication

On 17/07/19 16:22, Rowland penny via samba wrote:
> I don't think there is a 'best way'. This used to come up
fairly often
> in the early days of Samba AD, I think all you can do is to search in 
> sam.ldb and remove any mention of the old DC, but DO NOT alter the 
> files under sam.ldb.d, reading this might help:
>
> https://lists.samba.org/archive/samba/2014-February/178947.html
>
> Rowland 
Hi Rownland,

The file is is pretty big for our company size - 124k lines when edited.
I've spend about an hour carefully removing, editing and skipping 
entries referencing old dc1.
Unfortunately upon saving all my changes were discarded without a warning...

root at dc2 /# ldbedit -e vim -H /var/lib/samba/private/sam.ldb --cross-ncs
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
failed to add CN=dns-dc2,CN=Users,DC=example,DC=co,DC=uk - objectclass: 
'isCriticalSystemObject' must not be specified!

Would it be ok to leave this record as dns-dc1?
Or maybe I should do something else?

Thanks,
Adam

Apparently Analagous Threads

Search for more seemingly similar threads

samba - Jul 2019 - messy replication

[Samba] messy replication

[Samba] messy replication

[Samba] messy replication

Apparently Analagous Threads