Am 12.01.23 um 12:25 schrieb Rowland Penny via samba:>
> On 12/01/2023 10:53, Thorsten Marquardt via samba wrote:
>> Thank you so far. But unfortunately I could not fix the problems. So I
>> decided to start over again at a situation where all the fsmo roles
>> resides on the old controller.
>>
>> Here is a transcript of what I did and the errors reported:
>>
>> The inititial position
>>
>> srv-kb-dc1:~ # samba-tool fsmo show
>> SchemaMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>> InfrastructureMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>> RidAllocationMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>> PdcEmulationMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>> DomainNamingMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>> DomainDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>> ForestDnsZonesMasterRole owner: CN=NTDS
>> Settings,CN=SRV-KB-PRIMDC,CN=Servers,CN=Default-Fi...
>>
>> srv-kb-dc1:~ # nslookup -querytype=srv
_ldap._tcp.pdc._msdcs.my.local.dom
>> Server:???????? 192.168.1.243
>> Address:??????? 192.168.1.243#53
>>
>> _ldap._tcp.pdc._msdcs.my.local.dom? service = 0 100 389
>> srv-kb-primdc.my.local.dom.
>>
>>
>> Attempt no. 1
>>
>> srv-kb-dc1:~ # samba-tool fsmo transfer --role=all -k yes
-Uadministrator
> There is obviously a bit of a misunderstanding going on here. If you use
> '-k yes' (which has been replaced by
'--use-kerberos=required') there is
> no point in using '-U', it looks for the logged in users ticket.
> Here, it is 'root' that is logged in and on a DC,
'Administrator' is
> mapped to 'root', so, provided root has run 'kinit
Administrator', there
> should be a ticket in /tmp for 'root' that Administrator can use.
>
> Here is the proof of concept:
>
> Log into the DC that you wish to transfer an FSMO role to and show the
> FSMO owners at present (this list is shortened to just one, the one I
> will transfer):
>
> adminuser at rpidc2:~ $ sudo samba-tool fsmo show
> DomainDnsZonesMasterRole owner: CN=NTDS
>
Settings,CN=RPIDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> Kinit as Administrator (note I am using sudo, but it would be the same
> if done by root)
>
> adminuser at rpidc2:~ $ sudo kinit Administrator
> Password for Administrator at SAMDOM.EXAMPLE.COM:
>
> The Administrators ticket:
>
> adminuser at rpidc2:~ $ sudo klist -c /tmp/krb5cc_0
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at SAMDOM.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 12/01/23 11:14:21 12/01/23 21:14:21
> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> renew until 13/01/23 11:14:13
>
> Now transfer an FSMO role:
>
> adminuser at rpidc2:~ $ sudo samba-tool fsmo transfer --role=domaindns
> --use-kerberos=required
> FSMO transfer of 'domaindns' role successful
>
> Look at who owns the FSMO role now:
>
> adminuser at rpidc2:~ $ sudo samba-tool fsmo show
>
> DomainDnsZonesMasterRole owner: CN=NTDS
>
Settings,CN=RPIDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
>
> I hope this helps you understand how to use kerberos with samba-tool a
> little bit better. You only use '-U' if you are going to use a
password.
>
> Rowland
Okay back to the start an I try again. This time role by role. Here I
don't get timeouts (why do they come up with role=all ?) and I'm not
prompted for password of DOMAIN\root (what happens when transferring the
*dns roles):
srv-kb-dc1:~ # klist
Ticket cache: DIR::/run/user/0/krb5cc/tkt
Default principal: administrator at MY.LOCAL.DOM
Valid starting?????? Expires????????????? Service principal
12.01.2023 12:57:56? 12.01.2023 22:57:56 krbtgt/MY.LOCAL.DOM at MY.LOCAL.DOM
??????? renew until 13.01.2023 12:57:54
srv-kb-dc1:~ # samba-tool fsmo transfer --role=rid -k yes
FSMO transfer of 'rid' role successful
srv-kb-dc1:~ # samba-tool fsmo transfer --role=pdc -k yes
FSMO transfer of 'pdc' role successful
srv-kb-dc1:~ # samba-tool fsmo transfer --role=naming -k yes
FSMO transfer of 'naming' role successful
srv-kb-dc1:~ # samba-tool fsmo transfer --role=infrastructure -k yes
FSMO transfer of 'infrastructure' role successful
srv-kb-dc1:~ # samba-tool fsmo transfer --role=schema -k yes
FSMO transfer of 'schema' role successful
srv-kb-dc1:~ # samba-tool fsmo transfer --role=domaindns -k yes
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
'module'
object has no attribute 'drs_utils'
? File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
??? return self.run(*args, **kwargs)
? File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py",
line
520, in run
??? transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
? File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py",
line
129, in transfer_dns_role
??? except samba.drs_utils.drsException, e:
srv-kb-dc1:~ # samba-tool fsmo transfer --role=domaindns -k yes
This DC already has the 'domaindns' FSMO role
srv-kb-dc1:~ # samba-tool fsmo transfer --role=forestdns -k yes
ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
'module'
object has no attribute 'drs_utils'
? File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
??? return self.run(*args, **kwargs)
? File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py",
line
520, in run
??? transfer_dns_role(self.outf, sambaopts, credopts, role, samdb)
? File "/usr/lib64/python2.7/site-packages/samba/netcmd/fsmo.py",
line
129, in transfer_dns_role
??? except samba.drs_utils.drsException, e:
srv-kb-dc1:~ # samba-tool fsmo transfer --role=forestdns -k yes
This DC already has the 'forestdns' FSMO role
srv-kb-dc1:~ # nslookup -querytype=srv _ldap._tcp.pdc._msdcs.my.local.dom
Server:???????? 192.168.1.243
Address:??????? 192.168.1.243#53
_ldap._tcp.pdc._msdcs.my.local.dom? service = 0 100 389
srv-kb-primdc.my.local.dom.
Now I get only one host as _ldap._tcp.pdc._msdcs.my.local.dom but it's
the wrong one. It should be srv-kb-dc1.my.local.dom. instead of
srv-kb-primdc.my.local.dom.