samba - Sep 2018 - Samba 4.7.9 dbcheck error

On Wed, 2018-09-26 at 14:47 +0100, Rowland Penny via samba
wrote:
> On Wed, 26 Sep 2018 15:28:42 +0200
> Daniel Jordan <d.jordan at gfd.de> wrote:
> 
> > 
> > 
> > dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
> > '(objectClass=domain)' objectSid
> > # record 1
> > dn: DC=xx,DC=xx,DC=xx
> > objectSid: S-1-5-21-3258148492-1502286889-3538134041
> > 
> > 
> > 
> > dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
> > '(&(objectClass=rIDSet)(cn=RID Set))' rIDAllocationPool
> > # record 1
> > dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> > rIDAllocationPool: 2100-2599
> > 
> > # record 2
> > dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> > rIDAllocationPool: 1600-2099
> Strange, you originally posted this SID-RID:
> 
> SID S-1-5-21-3258148492-1502286889-3538134041-1601
> 
> For: CN=FS01,OU=Server,DC=xx,DC=xx,DC=xx
> 
> The error message said :
> 
> conflicts with our current RID set in
> CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> 
> Which is '2100-2599', so it does conflict, but it matches
'1600-2099'
> from CN=DC02
> 
> Do you have two DC's ?
> Have you tried transferring the FSMO roles to DC02 ?
I don't think changing FSMO roles would change what is going on here. 

I suspect a dbcheck bug.  

If it ins't, the typical way to get a bug like this would be to steal
the RID master between servers, rather than a proper transfer.  The
facts don't suggest this here, but for others reading this later if two
servers think they are a RID master, something similar to this could
happen (but more likely replication will fail with an index conflict).

Rowland and Daniel,

Thank you so much for chasing up the details here, and replying!  We
just need one more detail, which is the current rIDNextRID value in
each of those RID Set objects.

Then I hope I can play the logic though the code and figure out what we
got wrong.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Thu, 27 Sep 2018 06:29:26 +1200
Andrew Bartlett <abartlet at samba.org> wrote:
> On Wed, 2018-09-26 at 14:47 +0100, Rowland Penny via samba wrote:
> > On Wed, 26 Sep 2018 15:28:42 +0200
> > Daniel Jordan <d.jordan at gfd.de> wrote:
> > 
> > > 
> > > 
> > > dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
> > > '(objectClass=domain)' objectSid
> > > # record 1
> > > dn: DC=xx,DC=xx,DC=xx
> > > objectSid: S-1-5-21-3258148492-1502286889-3538134041
> > > 
> > > 
> > > 
> > > dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
> > > '(&(objectClass=rIDSet)(cn=RID Set))'
rIDAllocationPool
> > > # record 1
> > > dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> > > rIDAllocationPool: 2100-2599
> > > 
> > > # record 2
> > > dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> > > rIDAllocationPool: 1600-2099
> > Strange, you originally posted this SID-RID:
> > 
> > SID S-1-5-21-3258148492-1502286889-3538134041-1601
> > 
> > For: CN=FS01,OU=Server,DC=xx,DC=xx,DC=xx
> > 
> > The error message said :
> > 
> > conflicts with our current RID set in
> > CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> > 
> > Which is '2100-2599', so it does conflict, but it matches
> > '1600-2099' from CN=DC02
> > 
> > Do you have two DC's ?
> > Have you tried transferring the FSMO roles to DC02 ?
> 
> I don't think changing FSMO roles would change what is going on here. 
Never really thought it would do, just trying to draw answers out ;-)
> 
> I suspect a dbcheck bug.
Oh yes.
  
> 
> If it ins't, the typical way to get a bug like this would be to steal
> the RID master between servers, rather than a proper transfer.  The
> facts don't suggest this here, but for others reading this later if
> two servers think they are a RID master, something similar to this
> could happen (but more likely replication will fail with an index
> conflict).
> 
> Rowland and Daniel,
> 
> Thank you so much for chasing up the details here, and replying!  We
> just need one more detail, which is the current rIDNextRID value in
> each of those RID Set objects.
> 
> Then I hope I can play the logic though the code and figure out what
> we got wrong.
> 
> Thanks,
> 
> Andrew Bartlett
> 
If you cannot work it out Daniel, that would be the output of:

ldbsearch -H /var/lib/samba/private/sam.ldb
'(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID

Rowland

Am 26.09.18 um 20:42 schrieb Rowland Penny via samba:
> On Thu, 27 Sep 2018 06:29:26 +1200
> Andrew Bartlett <abartlet at samba.org> wrote:
>
>> On Wed, 2018-09-26 at 14:47 +0100, Rowland Penny via samba wrote:
>>> On Wed, 26 Sep 2018 15:28:42 +0200
>>> Daniel Jordan <d.jordan at gfd.de> wrote:
>>>
>>>>
>>>> dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb
>>>> '(objectClass=domain)' objectSid
>>>> # record 1
>>>> dn: DC=xx,DC=xx,DC=xx
>>>> objectSid: S-1-5-21-3258148492-1502286889-3538134041
>>>>
>>>>
>>>>
>>>> dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb
>>>> '(&(objectClass=rIDSet)(cn=RID Set))'
rIDAllocationPool
>>>> # record 1
>>>> dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
>>>> rIDAllocationPool: 2100-2599
>>>>
>>>> # record 2
>>>> dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
>>>> rIDAllocationPool: 1600-2099
>>> Strange, you originally posted this SID-RID:
>>>
>>> SID S-1-5-21-3258148492-1502286889-3538134041-1601
>>>
>>> For: CN=FS01,OU=Server,DC=xx,DC=xx,DC=xx
>>>
>>> The error message said :
>>>
>>> conflicts with our current RID set in
>>> CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
>>>
>>> Which is '2100-2599', so it does conflict, but it matches
>>> '1600-2099' from CN=DC02
>>>
>>> Do you have two DC's ?
>>> Have you tried transferring the FSMO roles to DC02 ?
>> I don't think changing FSMO roles would change what is going on
here.
> Never really thought it would do, just trying to draw answers out ;-)
>
>> I suspect a dbcheck bug.
> Oh yes.
>    
>> If it ins't, the typical way to get a bug like this would be to
steal
>> the RID master between servers, rather than a proper transfer.  The
>> facts don't suggest this here, but for others reading this later if
>> two servers think they are a RID master, something similar to this
>> could happen (but more likely replication will fail with an index
>> conflict).
>>
>> Rowland and Daniel,
>>
>> Thank you so much for chasing up the details here, and replying!  We
>> just need one more detail, which is the current rIDNextRID value in
>> each of those RID Set objects.
>>
>> Then I hope I can play the logic though the code and figure out what
>> we got wrong.
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
> If you cannot work it out Daniel, that would be the output of:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb
> '(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID
>
> Rowland
>
Hello  Andrew and Rowland,

here's the ldbsearch output from both domain controllers:


dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
'(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID
# record 1
dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
rIDNextRID: 1495

# record 2
dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
rIDNextRID: 0




dc02:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
'(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID
# record 1
dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx

# record 2
dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
rIDNextRID: 1716


hope that helps

Daniel