samba - Sep 2018 - Samba 4.7.9 dbcheck error

Am 26.09.18 um 20:42 schrieb Rowland Penny via samba:
> On Thu, 27 Sep 2018 06:29:26 +1200
> Andrew Bartlett <abartlet at samba.org> wrote:
>
>> On Wed, 2018-09-26 at 14:47 +0100, Rowland Penny via samba wrote:
>>> On Wed, 26 Sep 2018 15:28:42 +0200
>>> Daniel Jordan <d.jordan at gfd.de> wrote:
>>>
>>>>
>>>> dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb
>>>> '(objectClass=domain)' objectSid
>>>> # record 1
>>>> dn: DC=xx,DC=xx,DC=xx
>>>> objectSid: S-1-5-21-3258148492-1502286889-3538134041
>>>>
>>>>
>>>>
>>>> dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb
>>>> '(&(objectClass=rIDSet)(cn=RID Set))'
rIDAllocationPool
>>>> # record 1
>>>> dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
>>>> rIDAllocationPool: 2100-2599
>>>>
>>>> # record 2
>>>> dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
>>>> rIDAllocationPool: 1600-2099
>>> Strange, you originally posted this SID-RID:
>>>
>>> SID S-1-5-21-3258148492-1502286889-3538134041-1601
>>>
>>> For: CN=FS01,OU=Server,DC=xx,DC=xx,DC=xx
>>>
>>> The error message said :
>>>
>>> conflicts with our current RID set in
>>> CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
>>>
>>> Which is '2100-2599', so it does conflict, but it matches
>>> '1600-2099' from CN=DC02
>>>
>>> Do you have two DC's ?
>>> Have you tried transferring the FSMO roles to DC02 ?
>> I don't think changing FSMO roles would change what is going on
here.
> Never really thought it would do, just trying to draw answers out ;-)
>
>> I suspect a dbcheck bug.
> Oh yes.
>    
>> If it ins't, the typical way to get a bug like this would be to
steal
>> the RID master between servers, rather than a proper transfer.  The
>> facts don't suggest this here, but for others reading this later if
>> two servers think they are a RID master, something similar to this
>> could happen (but more likely replication will fail with an index
>> conflict).
>>
>> Rowland and Daniel,
>>
>> Thank you so much for chasing up the details here, and replying!  We
>> just need one more detail, which is the current rIDNextRID value in
>> each of those RID Set objects.
>>
>> Then I hope I can play the logic though the code and figure out what
>> we got wrong.
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
> If you cannot work it out Daniel, that would be the output of:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb
> '(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID
>
> Rowland
>
Hello  Andrew and Rowland,

here's the ldbsearch output from both domain controllers:


dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
'(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID
# record 1
dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
rIDNextRID: 1495

# record 2
dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
rIDNextRID: 0




dc02:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
'(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID
# record 1
dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx

# record 2
dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
rIDNextRID: 1716


hope that helps

Daniel

On Thu, 27 Sep 2018 07:46:40 +0200
Daniel Jordan <d.jordan at gfd.de> wrote:

> Hello  Andrew and Rowland,
> 
> here's the ldbsearch output from both domain controllers:
> 
> 
> dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
> '(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID
> # record 1
> dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> rIDNextRID: 1495
> 
> # record 2
> dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> rIDNextRID: 0
> 
> 
> dc02:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
> '(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID
> # record 1
> dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> 
> # record 2
> dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> rIDNextRID: 1716
> 
> 
> hope that helps
> 
> Daniel
Well yes an no ;-)

You posted this:

dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb
'(&(objectClass=rIDSet)(cn=RID Set))' rIDAllocationPool
# record 1
dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
rIDAllocationPool: 2100-2599

# record 2
dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
rIDAllocationPool: 1600-2099

So how has 'rIDNextRID' been set to '1495' on DC01, when the
'rIDAllocationPool' is '2100-2599' ?

How are you creating users etc ?

Rowland

Am 27.09.18 um 10:04 schrieb Rowland Penny via samba:
> On Thu, 27 Sep 2018 07:46:40 +0200
> Daniel Jordan <d.jordan at gfd.de> wrote:
>
>
>> Hello  Andrew and Rowland,
>>
>> here's the ldbsearch output from both domain controllers:
>>
>>
>> dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb
>> '(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
>> rIDNextRID: 1495
>>
>> # record 2
>> dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
>> rIDNextRID: 0
>>
>>
>> dc02:~# ldbsearch -H /var/lib/samba/private/sam.ldb
>> '(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
>>
>> # record 2
>> dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
>> rIDNextRID: 1716
>>
>>
>> hope that helps
>>
>> Daniel
> Well yes an no ;-)
>
> You posted this:
>
> dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb
'(&(objectClass=rIDSet)(cn=RID Set))' rIDAllocationPool
> # record 1
> dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> rIDAllocationPool: 2100-2599
>
> # record 2
> dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> rIDAllocationPool: 1600-2099
>
> So how has 'rIDNextRID' been set to '1495' on DC01, when
the
> 'rIDAllocationPool' is '2100-2599' ?
>
> How are you creating users etc ?
>
> Rowland
>
Now that's weird, how could that happen? We mostly use Windows
RSAT-Tools for administration purposes.


Daniel

On Thu, 2018-09-27 at 09:04 +0100, Rowland Penny via samba
wrote:
> On Thu, 27 Sep 2018 07:46:40 +0200
> Daniel Jordan <d.jordan at gfd.de> wrote:
> 
> 
> > 
> > Hello  Andrew and Rowland,
> > 
> > here's the ldbsearch output from both domain controllers:
> > 
> > 
> > dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
> > '(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID
> > # record 1
> > dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> > rIDNextRID: 1495
> > 
> > # record 2
> > dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> > rIDNextRID: 0
> > 
> > 
> > dc02:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
> > '(&(objectClass=rIDSet)(cn=RID Set))' rIDNextRID
> > # record 1
> > dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> > 
> > # record 2
> > dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> > rIDNextRID: 1716
> > 
> > 
> > hope that helps
> > 
> > Daniel
> Well yes an no ;-)
> 
> You posted this:
> 
> dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb
> '(&(objectClass=rIDSet)(cn=RID Set))' rIDAllocationPool
> # record 1
> dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> rIDAllocationPool: 2100-2599
> 
> # record 2
> dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> rIDAllocationPool: 1600-2099
> 
> So how has 'rIDNextRID' been set to '1495' on DC01, when
the
> 'rIDAllocationPool' is '2100-2599' ?
> 
> How are you creating users etc ?
Because the attributes a horribly misnnamed!
>From ridalloc.c:

/*
  Note: the RID allocation attributes in AD are very badly named. Here
  is what we think they really do:

  in RID Set object:
    - rIDPreviousAllocationPool: the pool which a DC is currently
      pulling RIDs from. Managed by client DC

    - rIDAllocationPool: the pool that the DC will switch to next,
      when rIDPreviousAllocationPool is exhausted. Managed by RID
Manager.

    - rIDNextRID: the last RID allocated by this DC. Managed by client
DC

  in RID Manager object:
    - rIDAvailablePool: the pool where the RID Manager gets new rID
      pools from when it gets a EXOP_RID_ALLOC getncchanges call (or
      locally when the DC is the RID Manager)
 */

Almost none of them do what you would think they do!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba