thr3ads.net - samba - [Samba] samba-4.10.15 - Unable to demote secodary DC [Jun 2020]

If this information is useful, please help other people find it:
Share via:
James B. Byrne
2020-Jun-25 18:36 UTC
[Samba] samba-4.10.15 - Unable to demote secodary DC

I am testing DC administration using samba-4.10.15 on FreeBSD-12.1p6 and have
run across this:


[root at smb4-2 ~ (master)]# samba-tool domain join BROCKLEY.HARTE-LYNE.CA DC
-U"BROCKLEY\administrator"
INFO 2020-06-25 14:26:10,692 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #104: Finding a writeable
DC for domain 'BROCKLEY.HARTE-LYNE.CA'
INFO 2020-06-25 14:26:10,748 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #106: Found DC
smb4-1.brockley.harte-lyne.ca
Password for [BROCKLEY\administrator]:
INFO 2020-06-25 14:26:20,275 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1528: workgroup is
BROCKLEY
INFO 2020-06-25 14:26:20,275 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1531: realm is
brockley.harte-lyne.ca
Adding CN=SMB4-2,OU=Domain Controllers,DC=brockley,DC=harte-lyne,DC=ca
Adding
CN=SMB4-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca
Adding CN=NTDS
Settings,CN=SMB4-2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca
Adding SPNs to CN=SMB4-2,OU=Domain Controllers,DC=brockley,DC=harte-lyne,DC=ca
Setting account password for SMB4-2$
Enabling account
Calling bare provision
INFO 2020-06-25 14:26:22,755 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2096:
Looking up IPv4 addresses
WARNING 2020-06-25 14:26:22,755 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2102: More
than one IPv4 address found. Using 192.168.8.162
INFO 2020-06-25 14:26:22,756 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2113:
Looking up IPv6 addresses
WARNING 2020-06-25 14:26:22,756 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2120: No
IPv6 address will be assigned
INFO 2020-06-25 14:26:23,267 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2286:
Setting up share.ldb
INFO 2020-06-25 14:26:23,472 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2290:
Setting up secrets.ldb
INFO 2020-06-25 14:26:23,624 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2296:
Setting up the registry
INFO 2020-06-25 14:26:24,252 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2299:
Setting up the privileges database
INFO 2020-06-25 14:26:24,672 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2302:
Setting up idmap db
INFO 2020-06-25 14:26:24,890 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2309:
Setting up SAM db
INFO 2020-06-25 14:26:24,959 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #882:
Setting up sam.ldb partitions and settings
INFO 2020-06-25 14:26:24,959 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #894:
Setting up sam.ldb rootDSE
INFO 2020-06-25 14:26:25,004 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #1302:
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on
local domainSIDs
INFO 2020-06-25 14:26:25,149 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2362: A
Kerberos configuration suitable for Samba AD has been generated at
/var/db/samba4/private/krb5.conf
INFO 2020-06-25 14:26:25,149 pid:47306
/usr/local/lib/python3.7/site-packages/samba/provision/__init__.py #2363: Merge
the contents of this file with your system krb5.conf or replace it with this
one. Do not create a symlink!
Provision OK for domain DN DC=brockley,DC=harte-lyne,DC=ca
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca] objects[402/1616]
linked_values[0/1]
Partition[CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca] objects[804/1616]
linked_values[0/1]
Partition[CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca] objects[1206/1616]
linked_values[0/1]
Partition[CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca] objects[1608/1616]
linked_values[0/1]
Partition[CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca] objects[1616/1616]
linked_values[30/30]
Replicating critical objects from the base DN of the domain
Partition[DC=brockley,DC=harte-lyne,DC=ca] objects[97/97] linked_values[25/25]
Partition[DC=brockley,DC=harte-lyne,DC=ca] objects[276/276] linked_values[28/28]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=brockley,DC=harte-lyne,DC=ca
Partition[DC=DomainDnsZones,DC=brockley,DC=harte-lyne,DC=ca] objects[44/44]
linked_values[0/0]
Replicating DC=ForestDnsZones,DC=brockley,DC=harte-lyne,DC=ca
Partition[DC=ForestDnsZones,DC=brockley,DC=harte-lyne,DC=ca] objects[19/19]
linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=brockley,DC=harte-lyne,DC=ca] objects[3]
linked_values[0]
Committing SAM database
INFO 2020-06-25 14:26:34,177 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1106: Adding 2 remote DNS
records for SMB4-2.brockley.harte-lyne.ca
INFO 2020-06-25 14:26:34,282 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1169: Adding DNS A record
SMB4-2.brockley.harte-lyne.ca for IPv4 IP: 192.168.8.162
INFO 2020-06-25 14:26:34,475 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1169: Adding DNS A record
SMB4-2.brockley.harte-lyne.ca for IPv4 IP: 192.168.216.162
INFO 2020-06-25 14:26:34,643 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1197: Adding DNS CNAME
record aeb8e4e0-e804-43b2-a235-963a7adceb68._msdcs.brockley.harte-lyne.ca for
SMB4-2.brockley.harte-lyne.ca
INFO 2020-06-25 14:26:34,818 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1221: All other DNS
records (like _ldap SRV records) will be created samba_dnsupdate on first
startup
INFO 2020-06-25 14:26:34,819 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1227: Replicating new DNS
records in DC=DomainDnsZones,DC=brockley,DC=harte-lyne,DC=ca
Partition[DC=DomainDnsZones,DC=brockley,DC=harte-lyne,DC=ca] objects[2/2]
linked_values[0/0]
INFO 2020-06-25 14:26:34,908 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1227: Replicating new DNS
records in DC=ForestDnsZones,DC=brockley,DC=harte-lyne,DC=ca
Partition[DC=ForestDnsZones,DC=brockley,DC=harte-lyne,DC=ca] objects[2/2]
linked_values[0/0]
INFO 2020-06-25 14:26:35,010 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1242: Sending
DsReplicaUpdateRefs for all the replicated partitions
INFO 2020-06-25 14:26:35,203 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1272: Setting
isSynchronized and dsServiceName
INFO 2020-06-25 14:26:35,260 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1287: Setting up secrets
database
INFO 2020-06-25 14:26:35,380 pid:47306
/usr/local/lib/python3.7/site-packages/samba/join.py #1545: Joined domain
BROCKLEY (SID S-1-5-21-1435057935-3811806010-4169829184) as a DC

[root at smb4-2 ~ (master)]#  samba-tool domain demote -Uadministrator
Using SMB4-1.brockley.harte-lyne.ca as partner server for the demotion
Password for [BROCKLEY\administrator]:
Deactivating inbound replication
Asking partner server SMB4-1.brockley.harte-lyne.ca to synchronize from us
Error while replicating out last local changes from
'CN=Schema,CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca' for
demotion,
re-enabling inbound replication
ERROR(<class 'samba.NTSTATUSError'>): Error while sending a
DsReplicaSync for
partition 'CN=Schema,CN=Configuration,DC=brockley,DC=harte-lyne,DC=ca' -
(3221225653, '{Device Timeout} The specified I/O operation on %hs was not
completed before the time-out period expired.')
  File
"/usr/local/lib/python3.7/site-packages/samba/netcmd/domain.py", line
835, in run
    drsuapiBind.DsReplicaSync(drsuapi_handle, 1, req1)

What did I do wrong?

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3
Maybe Matching Threads

Search for more apparently analagous threads
samba - Jun 2020 - samba-4.10.15 - Unable to demote secodary DC

[Samba] samba-4.10.15 - Unable to demote secodary DC

Maybe Matching Threads

Wisdom of the Ancients
