Achim Gottinger
2016-Sep-19 17:19 UTC
[Samba] Error "Failed extended allocation RID pool operation..."
Am 19.09.2016 um 19:08 schrieb Achim Gottinger via samba:> > > Am 19.09.2016 um 18:21 schrieb Rowland Penny via samba: >> On Mon, 19 Sep 2016 11:57:38 -0400 >> Adam Tauno Williams via samba <samba at lists.samba.org> wrote: >> >>> On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote: >>>> On Mon, 19 Sep 2016 10:42:34 -0400 >>>> Adam Tauno Williams via samba <samba at lists.samba.org> wrote: >>>>> On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba wrote: >>>>>> No it shouldn't be replicated, the big hint is >>>>>> 'FLAG_ATTR_NOT_REPLICATED', it should only be on the DC that >>>>>> holds the RID master FSMO role, so I supposed the question is, >>>>>> what does 'samba-tool fsmo show' display for the >>>>>> RidAllocationMasterRole ? >>>> Log into a DC, run 'samba-tool fsmo show' and look at the line that >>>> starts 'RidAllocationmasterRole' >>>> It should show 'CN=NTDS Settings,CN=LARKIN27' >>> [root at larkin28 ~]# samba-tool fsmo show >>> .. >>> RidAllocationMasterRole owner: CN=NTDS >>> Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site >>> -Name,CN=Sites,CN=Configuration,DC=micore,DC=us >>> ... >>> >>>>> Try running this on the DC: ldbsearch >>>>> -H/usr/local/samba/private/sa m.ldb '(objectClass=rIDSet)' dn >>>>> rIDNextRID >>>> It should should show the DN's of your DCs followed by the contents >>>> of the 'rIDNextRID' attributes. these should be '0' on all DC's >>>> except the RID master. >>> >>> [root at larkin28 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb >>> '(objectClass=rIDSet)' dn rIDNextRID >>> # record 1 >>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us >>> # record 2 >>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us >>> # record 3 >>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us >>> rIDNextRID: 53611 >>> # Referral >>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us >>> # Referral >>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us >>> # Referral >>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us >>> # returned 6 records >>> # 3 entries >>> # 3 referrals >>> >>> >>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb >>> '(objectClass=rIDSet)' dn rIDNextRID >>> # record 1 >>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us >>> # record 2 >>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us >>> rIDNextRID: 55584 >>> # record 3 >>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us >>> # Referral >>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us >>> # Referral >>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us >>> # Referral >>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us >>> # returned 6 records >>> # 3 entries >>> # 3 referrals >>> >>> >>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb >>> '(objectClass=rIDSet)' dn rIDNextRID >>> # record 1 >>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us >>> # record 2 >>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us >>> rIDNextRID: 55584 >>> # record 3 >>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us >>> # Referral >>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us >>> # Referral >>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us >>> # Referral >>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us >>> # returned 6 records >>> # 3 entries >>> # 3 referrals >>> >>> >> OK, on the DC that holds the RID master role: >> >> root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb >> '(objectClass=rIDSet)' dn rIDNextRID >> # record 1 >> dn: CN=RID Set,CN=MEMBER1,OU=Domain >> Controllers,DC=samdom,DC=example,DC=com >> rIDNextRID: 0 >> >> # record 2 >> dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com >> rIDNextRID: 1152 >> >> and on my other DC: >> >> root at member1:~# ldbsearch -H /usr/local/samba/private/sam.ldb >> '(objectClass=rIDSet)' dn rIDNextRID >> # record 1 >> dn: CN=RID Set,CN=MEMBER1,OU=Domain >> Controllers,DC=samdom,DC=example,DC=com >> >> # record 2 >> dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com >> >> So as far as I understanding it, you should only have the 'rIDNextRID' >> attribute on the DC that holds the RID master role. I suggest you run >> 'samba-tool dbcheck' on your DCs >> >> Rowland >> > On my 4.4.5 test environment i also get these results. On an > production domain running server 4.2.13 i get the following results. > 1.server with fsmo rid master role: nextRid>0 for the server and > nextRid=0 for all other server. > 2. Other servers: nextRid>0 for the (other) server. No nextRid > attribute for the other server. > I have no issues on both environments atm.After creating an user on my second and third dc in the 4.4.5 test environment these also have an rIDNextDrid attribute and behave like the 4.2.13 domain. On both environments the rIDNextDrid is different on all dc's. So it behaves like described in the article James posted.
Rowland Penny
2016-Sep-19 17:37 UTC
[Samba] Error "Failed extended allocation RID pool operation..."
On Mon, 19 Sep 2016 19:19:08 +0200 Achim Gottinger via samba <samba at lists.samba.org> wrote:> > > Am 19.09.2016 um 19:08 schrieb Achim Gottinger via samba: > > > > > > Am 19.09.2016 um 18:21 schrieb Rowland Penny via samba: > >> On Mon, 19 Sep 2016 11:57:38 -0400 > >> Adam Tauno Williams via samba <samba at lists.samba.org> wrote: > >> > >>> On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote: > >>>> On Mon, 19 Sep 2016 10:42:34 -0400 > >>>> Adam Tauno Williams via samba <samba at lists.samba.org> wrote: > >>>>> On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba > >>>>> wrote: > >>>>>> No it shouldn't be replicated, the big hint is > >>>>>> 'FLAG_ATTR_NOT_REPLICATED', it should only be on the DC that > >>>>>> holds the RID master FSMO role, so I supposed the question is, > >>>>>> what does 'samba-tool fsmo show' display for the > >>>>>> RidAllocationMasterRole ? > >>>> Log into a DC, run 'samba-tool fsmo show' and look at the line > >>>> that starts 'RidAllocationmasterRole' > >>>> It should show 'CN=NTDS Settings,CN=LARKIN27' > >>> [root at larkin28 ~]# samba-tool fsmo show > >>> .. > >>> RidAllocationMasterRole owner: CN=NTDS > >>> Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site > >>> -Name,CN=Sites,CN=Configuration,DC=micore,DC=us > >>> ... > >>> > >>>>> Try running this on the DC: ldbsearch > >>>>> -H/usr/local/samba/private/sa m.ldb '(objectClass=rIDSet)' dn > >>>>> rIDNextRID > >>>> It should should show the DN's of your DCs followed by the > >>>> contents of the 'rIDNextRID' attributes. these should be '0' on > >>>> all DC's except the RID master. > >>> > >>> [root at larkin28 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb > >>> '(objectClass=rIDSet)' dn rIDNextRID > >>> # record 1 > >>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us > >>> # record 2 > >>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us > >>> # record 3 > >>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us > >>> rIDNextRID: 53611 > >>> # Referral > >>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us > >>> # Referral > >>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us > >>> # Referral > >>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us > >>> # returned 6 records > >>> # 3 entries > >>> # 3 referrals > >>> > >>> > >>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb > >>> '(objectClass=rIDSet)' dn rIDNextRID > >>> # record 1 > >>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us > >>> # record 2 > >>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us > >>> rIDNextRID: 55584 > >>> # record 3 > >>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us > >>> # Referral > >>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us > >>> # Referral > >>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us > >>> # Referral > >>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us > >>> # returned 6 records > >>> # 3 entries > >>> # 3 referrals > >>> > >>> > >>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb > >>> '(objectClass=rIDSet)' dn rIDNextRID > >>> # record 1 > >>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us > >>> # record 2 > >>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us > >>> rIDNextRID: 55584 > >>> # record 3 > >>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us > >>> # Referral > >>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us > >>> # Referral > >>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us > >>> # Referral > >>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us > >>> # returned 6 records > >>> # 3 entries > >>> # 3 referrals > >>> > >>> > >> OK, on the DC that holds the RID master role: > >> > >> root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb > >> '(objectClass=rIDSet)' dn rIDNextRID > >> # record 1 > >> dn: CN=RID Set,CN=MEMBER1,OU=Domain > >> Controllers,DC=samdom,DC=example,DC=com > >> rIDNextRID: 0 > >> > >> # record 2 > >> dn: CN=RID Set,CN=DC1,OU=Domain > >> Controllers,DC=samdom,DC=example,DC=com rIDNextRID: 1152 > >> > >> and on my other DC: > >> > >> root at member1:~# ldbsearch -H /usr/local/samba/private/sam.ldb > >> '(objectClass=rIDSet)' dn rIDNextRID > >> # record 1 > >> dn: CN=RID Set,CN=MEMBER1,OU=Domain > >> Controllers,DC=samdom,DC=example,DC=com > >> > >> # record 2 > >> dn: CN=RID Set,CN=DC1,OU=Domain > >> Controllers,DC=samdom,DC=example,DC=com > >> > >> So as far as I understanding it, you should only have the > >> 'rIDNextRID' attribute on the DC that holds the RID master role. I > >> suggest you run 'samba-tool dbcheck' on your DCs > >> > >> Rowland > >> > > On my 4.4.5 test environment i also get these results. On an > > production domain running server 4.2.13 i get the following results. > > 1.server with fsmo rid master role: nextRid>0 for the server and > > nextRid=0 for all other server. > > 2. Other servers: nextRid>0 for the (other) server. No nextRid > > attribute for the other server. > > I have no issues on both environments atm. > After creating an user on my second and third dc in the 4.4.5 test > environment these also have an rIDNextDrid attribute and behave like > the 4.2.13 domain. On both environments the rIDNextDrid is different > on all dc's. > So it behaves like described in the article James posted. > > >Hmm, I always create users on the first DC, so I created one on the second DC and I now have a 'rIDNextRID' attribute on the second DC with, has expected, a different range, but it doesn't replicate (again as expected). Rowland
lingpanda101 at gmail.com
2016-Sep-19 18:33 UTC
[Samba] Error "Failed extended allocation RID pool operation..."
On 9/19/2016 1:37 PM, Rowland Penny via samba wrote:> On Mon, 19 Sep 2016 19:19:08 +0200 > Achim Gottinger via samba <samba at lists.samba.org> wrote: > >> >> Am 19.09.2016 um 19:08 schrieb Achim Gottinger via samba: >>> >>> Am 19.09.2016 um 18:21 schrieb Rowland Penny via samba: >>>> On Mon, 19 Sep 2016 11:57:38 -0400 >>>> Adam Tauno Williams via samba <samba at lists.samba.org> wrote: >>>> >>>>> On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote: >>>>>> On Mon, 19 Sep 2016 10:42:34 -0400 >>>>>> Adam Tauno Williams via samba <samba at lists.samba.org> wrote: >>>>>>> On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba >>>>>>> wrote: >>>>>>>> No it shouldn't be replicated, the big hint is >>>>>>>> 'FLAG_ATTR_NOT_REPLICATED', it should only be on the DC that >>>>>>>> holds the RID master FSMO role, so I supposed the question is, >>>>>>>> what does 'samba-tool fsmo show' display for the >>>>>>>> RidAllocationMasterRole ? >>>>>> Log into a DC, run 'samba-tool fsmo show' and look at the line >>>>>> that starts 'RidAllocationmasterRole' >>>>>> It should show 'CN=NTDS Settings,CN=LARKIN27' >>>>> [root at larkin28 ~]# samba-tool fsmo show >>>>> .. >>>>> RidAllocationMasterRole owner: CN=NTDS >>>>> Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site >>>>> -Name,CN=Sites,CN=Configuration,DC=micore,DC=us >>>>> ... >>>>> >>>>>>> Try running this on the DC: ldbsearch >>>>>>> -H/usr/local/samba/private/sa m.ldb '(objectClass=rIDSet)' dn >>>>>>> rIDNextRID >>>>>> It should should show the DN's of your DCs followed by the >>>>>> contents of the 'rIDNextRID' attributes. these should be '0' on >>>>>> all DC's except the RID master. >>>>> [root at larkin28 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb >>>>> '(objectClass=rIDSet)' dn rIDNextRID >>>>> # record 1 >>>>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us >>>>> # record 2 >>>>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us >>>>> # record 3 >>>>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us >>>>> rIDNextRID: 53611 >>>>> # Referral >>>>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us >>>>> # Referral >>>>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us >>>>> # Referral >>>>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us >>>>> # returned 6 records >>>>> # 3 entries >>>>> # 3 referrals >>>>> >>>>> >>>>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb >>>>> '(objectClass=rIDSet)' dn rIDNextRID >>>>> # record 1 >>>>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us >>>>> # record 2 >>>>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us >>>>> rIDNextRID: 55584 >>>>> # record 3 >>>>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us >>>>> # Referral >>>>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us >>>>> # Referral >>>>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us >>>>> # Referral >>>>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us >>>>> # returned 6 records >>>>> # 3 entries >>>>> # 3 referrals >>>>> >>>>> >>>>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb >>>>> '(objectClass=rIDSet)' dn rIDNextRID >>>>> # record 1 >>>>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us >>>>> # record 2 >>>>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us >>>>> rIDNextRID: 55584 >>>>> # record 3 >>>>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us >>>>> # Referral >>>>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us >>>>> # Referral >>>>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us >>>>> # Referral >>>>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us >>>>> # returned 6 records >>>>> # 3 entries >>>>> # 3 referrals >>>>> >>>>> >>>> OK, on the DC that holds the RID master role: >>>> >>>> root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb >>>> '(objectClass=rIDSet)' dn rIDNextRID >>>> # record 1 >>>> dn: CN=RID Set,CN=MEMBER1,OU=Domain >>>> Controllers,DC=samdom,DC=example,DC=com >>>> rIDNextRID: 0 >>>> >>>> # record 2 >>>> dn: CN=RID Set,CN=DC1,OU=Domain >>>> Controllers,DC=samdom,DC=example,DC=com rIDNextRID: 1152 >>>> >>>> and on my other DC: >>>> >>>> root at member1:~# ldbsearch -H /usr/local/samba/private/sam.ldb >>>> '(objectClass=rIDSet)' dn rIDNextRID >>>> # record 1 >>>> dn: CN=RID Set,CN=MEMBER1,OU=Domain >>>> Controllers,DC=samdom,DC=example,DC=com >>>> >>>> # record 2 >>>> dn: CN=RID Set,CN=DC1,OU=Domain >>>> Controllers,DC=samdom,DC=example,DC=com >>>> >>>> So as far as I understanding it, you should only have the >>>> 'rIDNextRID' attribute on the DC that holds the RID master role. I >>>> suggest you run 'samba-tool dbcheck' on your DCs >>>> >>>> Rowland >>>> >>> On my 4.4.5 test environment i also get these results. On an >>> production domain running server 4.2.13 i get the following results. >>> 1.server with fsmo rid master role: nextRid>0 for the server and >>> nextRid=0 for all other server. >>> 2. Other servers: nextRid>0 for the (other) server. No nextRid >>> attribute for the other server. >>> I have no issues on both environments atm. >> After creating an user on my second and third dc in the 4.4.5 test >> environment these also have an rIDNextDrid attribute and behave like >> the 4.2.13 domain. On both environments the rIDNextDrid is different >> on all dc's. >> So it behaves like described in the article James posted. >> >> >> > Hmm, I always create users on the first DC, so I created one on the > second DC and I now have a 'rIDNextRID' attribute on the second DC > with, has expected, a different range, but it doesn't replicate (again > as expected). > > Rowland > >To see rid pool info run the following from a Windows command prompt. dcdiag /s:DCNAME /test:ridmanager /v Replace DCNAME with the dns name of your Domain Controller. I wonder if OP has exhausted his RID pool. Unlikely but possible. I also see a similar post on this same issue. https://lists.samba.org/archive/samba/2016-April/198879.html -- -James
Seemingly Similar Threads
- Error "Failed extended allocation RID pool operation..."
- Error "Failed extended allocation RID pool operation..."
- Error "Failed extended allocation RID pool operation..."
- Error "Failed extended allocation RID pool operation..."
- Error "Failed extended allocation RID pool operation..."