dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb '(objectClass=domain)' objectSid # record 1 dn: DC=xx,DC=xx,DC=xx objectSid: S-1-5-21-3258148492-1502286889-3538134041 dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectClass=rIDSet)(cn=RID Set))' rIDAllocationPool # record 1 dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx rIDAllocationPool: 2100-2599 # record 2 dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx rIDAllocationPool: 1600-2099 Daniel Am 26.09.18 um 15:15 schrieb Rowland Penny via samba:> On Wed, 26 Sep 2018 14:29:24 +0200 > Daniel Jordan <d.jordan at gfd.de> wrote: > >> You're right, the 'S-1-5-21-3258148492-1502286889-3538134041-1601' is >> the SID for fs01. The system only exists 'OU=Server' as I moved it >> from 'OU=Computer' >> for organisational purposes. I could also move it back to the >> 'Computer' OU, but the error existed before the move, so this >> probably won't have any impact. >> > Run the following commands on dc01: > > ldbsearch -H /var/lib/samba/private/sam.ldb '(objectClass=domain)' objectSid > > ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectClass=rIDSet)(cn=RID Set))' rIDAllocationPool > > > The first should display the domain SID, it should match the one in your first post. > The second should display the rid pool(s). > > Ensure that 'sam.ldb' is in '/var/lib/samba/private', if not change to correct path. > > Rowland > > >-- Mit freundlichen Grüßen Daniel Jordan IT-Administration GFD GmbH Flugplatz Hohn 24806 Hohn Tel.: + 49 (0) 4335 9202 58 Fax: + 49 (0) 4335 9202 15 d.jordan at gfd.de <mailto:d.jordan at gfd.de> www.gfd.de Sitz der Gesellschaft Hohn Handelsregister Kiel HRB 908 RD Geschäftsführung: Stefan Müller
On Wed, 26 Sep 2018 15:28:42 +0200 Daniel Jordan <d.jordan at gfd.de> wrote:> > dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb > '(objectClass=domain)' objectSid > # record 1 > dn: DC=xx,DC=xx,DC=xx > objectSid: S-1-5-21-3258148492-1502286889-3538134041 > > > > dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb > '(&(objectClass=rIDSet)(cn=RID Set))' rIDAllocationPool > # record 1 > dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx > rIDAllocationPool: 2100-2599 > > # record 2 > dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx > rIDAllocationPool: 1600-2099Strange, you originally posted this SID-RID: SID S-1-5-21-3258148492-1502286889-3538134041-1601 For: CN=FS01,OU=Server,DC=xx,DC=xx,DC=xx The error message said : conflicts with our current RID set in CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx Which is '2100-2599', so it does conflict, but it matches '1600-2099' from CN=DC02 Do you have two DC's ? Have you tried transferring the FSMO roles to DC02 ? Rowland
On Wed, 2018-09-26 at 14:47 +0100, Rowland Penny via samba wrote:> On Wed, 26 Sep 2018 15:28:42 +0200 > Daniel Jordan <d.jordan at gfd.de> wrote: > > > > > > > dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb > > '(objectClass=domain)' objectSid > > # record 1 > > dn: DC=xx,DC=xx,DC=xx > > objectSid: S-1-5-21-3258148492-1502286889-3538134041 > > > > > > > > dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb > > '(&(objectClass=rIDSet)(cn=RID Set))' rIDAllocationPool > > # record 1 > > dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx > > rIDAllocationPool: 2100-2599 > > > > # record 2 > > dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx > > rIDAllocationPool: 1600-2099 > Strange, you originally posted this SID-RID: > > SID S-1-5-21-3258148492-1502286889-3538134041-1601 > > For: CN=FS01,OU=Server,DC=xx,DC=xx,DC=xx > > The error message said : > > conflicts with our current RID set in > CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx > > Which is '2100-2599', so it does conflict, but it matches '1600-2099' > from CN=DC02 > > Do you have two DC's ? > Have you tried transferring the FSMO roles to DC02 ?I don't think changing FSMO roles would change what is going on here. I suspect a dbcheck bug. If it ins't, the typical way to get a bug like this would be to steal the RID master between servers, rather than a proper transfer. The facts don't suggest this here, but for others reading this later if two servers think they are a RID master, something similar to this could happen (but more likely replication will fail with an index conflict). Rowland and Daniel, Thank you so much for chasing up the details here, and replying! We just need one more detail, which is the current rIDNextRID value in each of those RID Set objects. Then I hope I can play the logic though the code and figure out what we got wrong. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba