Adam Tauno Williams
2016-Sep-19 13:31 UTC
[Samba] Error "Failed extended allocation RID pool operation..."
Package: sernet-samba-4.2.14-23.el6.x86_64 These DCs were very recently upgraded from a prior version. [2016/09/19 09:32:55.168161, 0] ../source4/libcli/smb2/signing.c:116(smb2_check_signature) Bad SMB2 signature for message of size 202 [2016/09/19 09:32:55.168511, 0] ../lib/util/util.c:559(dump_data) [0000] 77 B3 94 9B 70 78 8B 21 1E 56 D0 78 E1 80 BB 5C w...px.! .V.x...\ [2016/09/19 09:32:55.168716, 0] ../lib/util/util.c:559(dump_data) [0000] 17 AB 09 20 81 BD 6B FD 5B 12 89 98 6A 79 3B FE ... ..k. [...jy;. [2016/09/19 09:32:55.189708, 0] ../source4/libcli/smb2/signing.c:116(smb2_check_signature) Bad SMB2 signature for message of size 208 [2016/09/19 09:32:55.189999, 0] ../lib/util/util.c:559(dump_data) [0000] 26 35 A6 E2 D7 47 17 4D 1A 0A 07 E2 8E B8 5B DC &5...G.M ......[. [2016/09/19 09:32:55.190219, 0] ../lib/util/util.c:559(dump_data) [0000] 21 19 4D 88 60 9A D5 4E 46 08 73 B0 A7 A0 22 B6 !.M.`..N F.s...". [2016/09/19 09:32:55.208830, 0] ../source4/libcli/smb2/signing.c:116(smb2_check_signature) Bad SMB2 signature for message of size 217 [2016/09/19 09:32:55.209092, 0] ../lib/util/util.c:559(dump_data) [0000] 9F FD 03 E1 61 4B 32 A8 9F 9D 50 DE 25 47 C0 AF ....aK2. ..P.%G.. [2016/09/19 09:32:55.209305, 0] ../lib/util/util.c:559(dump_data) [0000] C8 6B 73 58 EC 59 4E 06 46 26 7E DA D5 DE 4E 8F .ksX.YN. F&~...N. [2016/09/19 09:33:02.991790, 0] ../source4/rpc_server/drsuapi/getncchanges.c:807(getncchanges_rid_alloc ) ../source4/rpc_server/drsuapi/getncchanges.c:807: Failed extended allocation RID pool operation - Failed to modify RID Set object CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us - objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on entry 'CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us' wasn't specified! [2016/09/19 09:33:03.814390, 0] ../source4/smb_server/smb2/sesssetup.c:242(smb2srv_cleanup_session_dest ructor) -- Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA
Adam Tauno Williams
2016-Sep-19 13:56 UTC
[Samba] Error "Failed extended allocation RID pool operation..."
On Mon, 2016-09-19 at 09:31 -0400, Adam Tauno Williams via samba wrote:> Package: sernet-samba-4.2.14-23.el6.x86_64 > These DCs were very recently upgraded from a prior version. > [2016/09/19 09:32:55.168161, 0] > ../source4/libcli/smb2/signing.c:116(smb2_check_signature) > Bad SMB2 signature for message of size 202 > ../source4/rpc_server/drsuapi/getncchanges.c:807: Failed extended > allocation RID pool operation - Failed to modify RID Set object > CN=RID > Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us - > objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on > entry 'CN=RID Set,CN=DC3,OU=Domain Controllers,DC=example,DC=us' > wasn't specified! > [2016/09/19 09:33:03.814390, 0] > ../source4/smb_server/smb2/sesssetup.c:242(smb2srv_cleanup_session_de > structor)Verified that the rIDNextRID attribute only has an ID on one of the DC's. My understanding is that this is correct; should Samba not be attempting to replicate this attribute? Checked CN=RID Set,CN=DC3,OU=Domain Controllers,DC=example,DC=us CN=RID Set,CN=DC2,OU=Domain Controllers,DC=example,DC=us CN=RID Set,CN=DC1,OU=Domain Controllers,DC=example,DC=us <https://msdn.microsoft.com/en-us/library/cc220818.aspx> cn: RID-Next-RID ldapDisplayName: rIDNextRID attributeId: 1.2.840.113556.1.4.374 attributeSyntax: 2.5.5.9 omSyntax: 2 isSingleValued: TRUE schemaIdGuid: 6617188c-8f3c-11d0-afda-00c04fd930c9 systemOnly: TRUE searchFlags: 0 systemFlags: FLAG_SCHEMA_BASE_OBJECT | FLAG_ATTR_NOT_REPLICATED schemaFlagsEx: FLAG_ATTR_IS_CRITICAL -- Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA
Rowland Penny
2016-Sep-19 14:15 UTC
[Samba] Error "Failed extended allocation RID pool operation..."
On Mon, 19 Sep 2016 09:56:16 -0400 Adam Tauno Williams via samba <samba at lists.samba.org> wrote:> On Mon, 2016-09-19 at 09:31 -0400, Adam Tauno Williams via samba > wrote: > > Package: sernet-samba-4.2.14-23.el6.x86_64 > > These DCs were very recently upgraded from a prior version. > > [2016/09/19 09:32:55.168161, 0] > > ../source4/libcli/smb2/signing.c:116(smb2_check_signature) > > Bad SMB2 signature for message of size 202 > > ../source4/rpc_server/drsuapi/getncchanges.c:807: Failed extended > > allocation RID pool operation - Failed to modify RID Set object > > CN=RID > > Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us - > > objectclass_attrs: at least one mandatory attribute ('rIDNextRID') > > on entry 'CN=RID Set,CN=DC3,OU=Domain Controllers,DC=example,DC=us' > > wasn't specified! > > [2016/09/19 09:33:03.814390, 0] > > ../source4/smb_server/smb2/sesssetup.c:242(smb2srv_cleanup_session_de > > structor) > > Verified that the rIDNextRID attribute only has an ID on one of the > DC's. My understanding is that this is correct; should Samba not be > attempting to replicate this attribute? > > Checked > CN=RID Set,CN=DC3,OU=Domain Controllers,DC=example,DC=us > CN=RID Set,CN=DC2,OU=Domain Controllers,DC=example,DC=us > CN=RID Set,CN=DC1,OU=Domain Controllers,DC=example,DC=us > > <https://msdn.microsoft.com/en-us/library/cc220818.aspx> > cn: RID-Next-RID > ldapDisplayName: rIDNextRID > attributeId: 1.2.840.113556.1.4.374 > attributeSyntax: 2.5.5.9 > omSyntax: 2 > isSingleValued: TRUE > schemaIdGuid: 6617188c-8f3c-11d0-afda-00c04fd930c9 > systemOnly: TRUE > searchFlags: 0 > systemFlags: FLAG_SCHEMA_BASE_OBJECT | FLAG_ATTR_NOT_REPLICATED > schemaFlagsEx: FLAG_ATTR_IS_CRITICAL > >No it shouldn't be replicated, the big hint is 'FLAG_ATTR_NOT_REPLICATED', it should only be on the DC that holds the RID master FSMO role, so I supposed the question is, what does 'samba-tool fsmo show' display for the RidAllocationMasterRole ? Rowland
Andrew Bartlett
2016-Sep-20 04:46 UTC
[Samba] Error "Failed extended allocation RID pool operation..."
On Mon, 2016-09-19 at 09:31 -0400, Adam Tauno Williams via samba wrote:> Package: sernet-samba-4.2.14-23.el6.x86_64 > > These DCs were very recently upgraded from a prior version. > > [2016/09/19 09:32:55.168161, 0] > ../source4/libcli/smb2/signing.c:116(smb2_check_signature) > Bad SMB2 signature for message of size 202 > [2016/09/19 09:32:55.168511, 0] ../lib/util/util.c:559(dump_data) > [0000] 77 B3 94 9B 70 78 8B 21 1E 56 D0 78 E1 80 BB 5C w...px.! > .V.x...\ > [2016/09/19 09:32:55.168716, 0] ../lib/util/util.c:559(dump_data) > [0000] 17 AB 09 20 81 BD 6B FD 5B 12 89 98 6A 79 3B FE ... ..k. > [...jy;. > [2016/09/19 09:32:55.189708, 0] > ../source4/libcli/smb2/signing.c:116(smb2_check_signature) > Bad SMB2 signature for message of size 208 > [2016/09/19 09:32:55.189999, 0] ../lib/util/util.c:559(dump_data) > [0000] 26 35 A6 E2 D7 47 17 4D 1A 0A 07 E2 8E B8 5B DC &5...G.M > ......[. > [2016/09/19 09:32:55.190219, 0] ../lib/util/util.c:559(dump_data) > [0000] 21 19 4D 88 60 9A D5 4E 46 08 73 B0 A7 A0 22 B6 !.M.`..N > F.s...". > [2016/09/19 09:32:55.208830, 0] > ../source4/libcli/smb2/signing.c:116(smb2_check_signature) > Bad SMB2 signature for message of size 217 > [2016/09/19 09:32:55.209092, 0] ../lib/util/util.c:559(dump_data) > [0000] 9F FD 03 E1 61 4B 32 A8 9F 9D 50 DE 25 47 C0 AF ....aK2. > ..P.%G.. > [2016/09/19 09:32:55.209305, 0] ../lib/util/util.c:559(dump_data) > [0000] C8 6B 73 58 EC 59 4E 06 46 26 7E DA D5 DE 4E 8F .ksX.YN. > F&~...N. > [2016/09/19 09:33:02.991790, 0] > ../source4/rpc_server/drsuapi/getncchanges.c:807(getncchanges_rid_all > oc > ) > ../source4/rpc_server/drsuapi/getncchanges.c:807: Failed extended > allocation RID pool operation - Failed to modify RID Set object > CN=RID > Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us - > objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on > entry 'CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us' > wasn't specified! > [2016/09/19 09:33:03.814390, 0] > ../source4/smb_server/smb2/sesssetup.c:242(smb2srv_cleanup_session_de > st > ructor)To provide some background on this to avoid speculation: rIDNextRid is a non-replicated attribute. However it is also a mandatory attribute. This creates issues, because our code tries to enforce the schema, even on 'system' operations, but this confusion as to if the attribute should always be present causes us pain. We just fixed a similar issue here: https://bugzilla.samba.org/show_bug .cgi?id=12178 The issue is that the FSMO master doesn't ever see the ridNextRid value, so if you add most of your users on the non-FSMO server, then this will happen when the pool needs refreshing. It is too late here for me to safely suggest hacks, but I can think of workarounds to satisfy the check until we can just remove it properly. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Andrew Bartlett
2016-Sep-23 03:17 UTC
[Samba] Error "Failed extended allocation RID pool operation..."
On Mon, 2016-09-19 at 23:46 -0500, Andrew Bartlett via samba wrote:> On Mon, 2016-09-19 at 09:31 -0400, Adam Tauno Williams via samba > wrote: > > > > Package: sernet-samba-4.2.14-23.el6.x86_64 > > > > These DCs were very recently upgraded from a prior version. > > > > [2016/09/19 09:32:55.168161, 0] > > ../source4/libcli/smb2/signing.c:116(smb2_check_signature) > > Bad SMB2 signature for message of size 202 > > [2016/09/19 09:32:55.168511, 0] ../lib/util/util.c:559(dump_data) > > [0000] 77 B3 94 9B 70 78 8B 21 1E 56 D0 78 E1 80 BB > > 5C w...px.! > > .V.x...\ > > [2016/09/19 09:32:55.168716, 0] ../lib/util/util.c:559(dump_data) > > [0000] 17 AB 09 20 81 BD 6B FD 5B 12 89 98 6A 79 3B FE ... > > ..k. > > [...jy;. > > [2016/09/19 09:32:55.189708, 0] > > ../source4/libcli/smb2/signing.c:116(smb2_check_signature) > > Bad SMB2 signature for message of size 208 > > [2016/09/19 09:32:55.189999, 0] ../lib/util/util.c:559(dump_data) > > [0000] 26 35 A6 E2 D7 47 17 4D 1A 0A 07 E2 8E B8 5B > > DC &5...G.M > > ......[. > > [2016/09/19 09:32:55.190219, 0] ../lib/util/util.c:559(dump_data) > > [0000] 21 19 4D 88 60 9A D5 4E 46 08 73 B0 A7 A0 22 > > B6 !.M.`..N > > F.s...". > > [2016/09/19 09:32:55.208830, 0] > > ../source4/libcli/smb2/signing.c:116(smb2_check_signature) > > Bad SMB2 signature for message of size 217 > > [2016/09/19 09:32:55.209092, 0] ../lib/util/util.c:559(dump_data) > > [0000] 9F FD 03 E1 61 4B 32 A8 9F 9D 50 DE 25 47 C0 > > AF ....aK2. > > ..P.%G.. > > [2016/09/19 09:32:55.209305, 0] ../lib/util/util.c:559(dump_data) > > [0000] C8 6B 73 58 EC 59 4E 06 46 26 7E DA D5 DE 4E > > 8F .ksX.YN. > > F&~...N. > > [2016/09/19 09:33:02.991790, 0] > > ../source4/rpc_server/drsuapi/getncchanges.c:807(getncchanges_rid_a > > ll > > oc > > ) > > ../source4/rpc_server/drsuapi/getncchanges.c:807: Failed extended > > allocation RID pool operation - Failed to modify RID Set object > > CN=RID > > Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us - > > objectclass_attrs: at least one mandatory attribute ('rIDNextRID') > > on > > entry 'CN=RID Set,CN=LARKIN28,OU=Domain > > Controllers,DC=micore,DC=us' > > wasn't specified! > > [2016/09/19 09:33:03.814390, 0] > > ../source4/smb_server/smb2/sesssetup.c:242(smb2srv_cleanup_session_ > > de > > st > > ructor) > > To provide some background on this to avoid speculation: > > rIDNextRid is a non-replicated attribute. However it is also a > mandatory attribute. This creates issues, because our code tries to > enforce the schema, even on 'system' operations, but this confusion > as > to if the attribute should always be present causes us pain. > > We just fixed a similar issue here: https://bugzilla.samba.org/show_b > ug > .cgi?id=12178 > > The issue is that the FSMO master doesn't ever see the ridNextRid > value, so if you add most of your users on the non-FSMO server, then > this will happen when the pool needs refreshing. > > It is too late here for me to safely suggest hacks, but I can think > of > workarounds to satisfy the check until we can just remove it > properly.My untested thoughts are to set ridNextRid to 0 on the DC holding the RID master role, so that this check passes. The correct fix is either to not enforce MUST restrictions on non- replicated attributes, or not enforce it for unrelated modifications. I'm still a little confused how this ever worked in the first place, but we will look into it. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Apparently Analagous Threads
- Error "Failed extended allocation RID pool operation..."
- Error "Failed extended allocation RID pool operation..."
- Error "Failed extended allocation RID pool operation..."
- Was not found in the schema 'msDS-SupportedEncryptionTypes'
- Error "Failed extended allocation RID pool operation..."