samba - Aug 2016 - UNIX attribute UID no longer increments with RSAT

Hello,

     I'm using rfc2307 to enable Unix attributes on my DC's. Recently 
when adding a user and attempting to add a UID with the RSAT, I 
receiving the following error.

'Duplicate UID. Assign a uniqueUID.'

How do I list all users and their UID? I tried using 'pdbedit' and 
wbinfo. Pdbedit appears to list the XID's and wbinfo needs me to specify 
a user name. I need to confirm all users have a unique UID before moving 
forward to troubleshoot this issue. Thanks.

-- 
-James

On Mon, 8 Aug 2016 08:52:39 -0400
"lingpanda101 at gmail.com" <lingpanda101 at gmail.com> wrote:
> Hello,
> 
>      I'm using rfc2307 to enable Unix attributes on my DC's.
Recently
> when adding a user and attempting to add a UID with the RSAT, I 
> receiving the following error.
> 
> 'Duplicate UID. Assign a uniqueUID.'
> 
> How do I list all users and their UID? I tried using 'pdbedit' and 
> wbinfo. Pdbedit appears to list the XID's and wbinfo needs me to
> specify a user name. I need to confirm all users have a unique UID
> before moving forward to troubleshoot this issue. Thanks.
> 
What version of windows is this ?

When you used to add a uidNumber with the UNIX Attributes tab, the last
uid used was stored in an attribute in AD, this attribute was created
if it didn't exist, has windows stopped doing this ?

The attribute in question is 'msSFU30MaxUidNumber' (there is another
one for groups 'msSFU30MaxGidNumber') and this is stored in the AD
object to be found at:
CN=<Your
lowercase
NETBios
domain
name>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=your,DC=dns,DC=domain

Rowland

On 8/8/2016 9:32 AM, Rowland Penny wrote:
> On Mon, 8 Aug 2016 08:52:39 -0400
> "lingpanda101 at gmail.com" <lingpanda101 at gmail.com>
wrote:
>
>> Hello,
>>
>>       I'm using rfc2307 to enable Unix attributes on my DC's.
Recently
>> when adding a user and attempting to add a UID with the RSAT, I
>> receiving the following error.
>>
>> 'Duplicate UID. Assign a uniqueUID.'
>>
>> How do I list all users and their UID? I tried using 'pdbedit'
and
>> wbinfo. Pdbedit appears to list the XID's and wbinfo needs me to
>> specify a user name. I need to confirm all users have a unique UID
>> before moving forward to troubleshoot this issue. Thanks.
>>
> What version of windows is this ?
>
> When you used to add a uidNumber with the UNIX Attributes tab, the last
> uid used was stored in an attribute in AD, this attribute was created
> if it didn't exist, has windows stopped doing this ?
>
> The attribute in question is 'msSFU30MaxUidNumber' (there is
another
> one for groups 'msSFU30MaxGidNumber') and this is stored in the AD
> object to be found at:
> CN=<Your
> lowercase
> NETBios
> domain
>
name>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=your,DC=dns,DC=domain
>
> Rowland
>
>
This is with Windows 7.

I found the issue. I have another admin who creates users in AD. This 
user did not have the proper permissions to update this attribute with 
RSAT. I can't recall the error they received, but it mentioned not 
having permissions to update this field( I will get so as to post and 
update in this thread). Event though they were advised they do not have 
permissions, the UID was updated in Samba anyways(Possible security 
bug?). I verified it was in samba by using wbinfo.

To correct the issue, I manually incremented the new users UID to the 
next available one in Samba. This allowed RSAT to automatically 
increment the UID on a subsequent user I tested on.


-- 
-James

On 8/8/2016 9:32 AM, Rowland Penny wrote:
> On Mon, 8 Aug 2016 08:52:39 -0400
> "lingpanda101 at gmail.com" <lingpanda101 at gmail.com>
wrote:
>
>> Hello,
>>
>>       I'm using rfc2307 to enable Unix attributes on my DC's.
Recently
>> when adding a user and attempting to add a UID with the RSAT, I
>> receiving the following error.
>>
>> 'Duplicate UID. Assign a uniqueUID.'
>>
>> How do I list all users and their UID? I tried using 'pdbedit'
and
>> wbinfo. Pdbedit appears to list the XID's and wbinfo needs me to
>> specify a user name. I need to confirm all users have a unique UID
>> before moving forward to troubleshoot this issue. Thanks.
>>
> What version of windows is this ?
>
> When you used to add a uidNumber with the UNIX Attributes tab, the last
> uid used was stored in an attribute in AD, this attribute was created
> if it didn't exist, has windows stopped doing this ?
>
> The attribute in question is 'msSFU30MaxUidNumber' (there is
another
> one for groups 'msSFU30MaxGidNumber') and this is stored in the AD
> object to be found at:
> CN=<Your
> lowercase
> NETBios
> domain
>
name>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=your,DC=dns,DC=domain
>
> Rowland
>
>
These are the error messages received when a user attempts to update the 
UID within RSAT.

First is;

"Unable to modify the object property values.

Check your credentials.
There could be a network problem.
Active Directory could be down.
Contact your system administrator."

Followed by;

"Unable to update the maximum user ID number for the selected NIS
Domain."


Using ldbedit I see the max 'msSFU30MaxUidNumber: 10152'. This UID was 
just given to a user so I could receive the above error messages.

Where should I be looking to verify if this person has permission to 
update the Unix attributes? Thanks.

-- 

-James

On 8/8/2016 9:32 AM, Rowland Penny wrote:
> On Mon, 8 Aug 2016 08:52:39 -0400
> "lingpanda101 at gmail.com" <lingpanda101 at gmail.com>
wrote:
>
>> Hello,
>>
>>       I'm using rfc2307 to enable Unix attributes on my DC's.
Recently
>> when adding a user and attempting to add a UID with the RSAT, I
>> receiving the following error.
>>
>> 'Duplicate UID. Assign a uniqueUID.'
>>
>> How do I list all users and their UID? I tried using 'pdbedit'
and
>> wbinfo. Pdbedit appears to list the XID's and wbinfo needs me to
>> specify a user name. I need to confirm all users have a unique UID
>> before moving forward to troubleshoot this issue. Thanks.
>>
> What version of windows is this ?
>
> When you used to add a uidNumber with the UNIX Attributes tab, the last
> uid used was stored in an attribute in AD, this attribute was created
> if it didn't exist, has windows stopped doing this ?
>
> The attribute in question is 'msSFU30MaxUidNumber' (there is
another
> one for groups 'msSFU30MaxGidNumber') and this is stored in the AD
> object to be found at:
> CN=<Your
> lowercase
> NETBios
> domain
>
name>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=your,DC=dns,DC=domain
>
> Rowland
>
>
I'll update my findings.

  * Create a new security group in ADUC
  * Within ADUC right click the OU or domain to delegate permissions
  * Click Delegate Control
  * Add the new security group created.
  * Delegate the following tasks
      o Create, delete and manage user accounts
      o Reset user passwords and force password change at next logon
      o Read all user information

 From what I gather on the net, this does not give the above security 
group permission to update the Unix attributes within ADUC.  This 
appears to be confirmed by the error prompts when attempted.  Maybe I am 
incorrect and this should give the security group permission and the 
error prompts are just bugs.

-- 
-James