samba - Jun 2021 - SID ... conflicts with our current RID set in ...

On Tue, 2021-06-01 at 17:31 +0100, Rowland penny via samba
wrote:
> On 01/06/2021 17:07, Marco Gaiarin via samba wrote:
> > Doing some health check on my samba AD domain, i've got this:
> > 
> >   root at vdcpp1:~# samba-tool dbcheck --cross-ncs
> >   Checking 5173 objects
> >   [... some warnings...]
> >   SID S-1-5-21-160080369-3601385002-3131615632-2100 for
> > CN=ENRICO,OU=Computers,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it
> > conflicts with our current RID set in CN=RID
> > Set,CN=VDCPP1,OU=Domain Controllers,DC=ad,DC=fvg,DC=lnf,DC=it
> >   Please use --fix to fix these errors
> >   Checked 5173 objects (1 errors)
> > 
> > Two question:
> > 
> > 1) why this error is DC specific and not domain-wide?
> 
> Because every DC has (or should have) its own RID pool
> 
> >   DC RID is not
> >   written in AD but only in local DB?
> 
> RID's are in AD
> 
> >   If i run 'samba-tool dbcheck --cross-ncs' in another DC,
there's
> > no error...
> 
> Different RID pool
> 
> > 2) it is safe to use '--fix'? Or, because 'ENRICO' is
a simple
> > windows
> >   pc, it is safer to simply delete 'ENRICO' computer account
and
> > rejoin
> >   it?
> 
> Try '--fix' first, you can always fall back to leaving the domain
> and 
> rejoining if it doesn't work.
Thanks Rowland, this explains things very well. 

As background, which should probably go into the wiki some day, with
the above:

The 'fix' will advance the local RID allocation state in ridNextRid
attribute until the conflict is resolved.

However this should not ever have happened, if there was only ever one
RID master the pools should never have overlapped and it should have
been impossible for this to happen.  

Stealing RID master roles would be one way to get into this muddle, as
would an improper domain restore.  If neither of these have happened,
some investigation might be worthwhile.

We don't currently have a way to detect if multiple DCs think they have
the same RID pool, which might be the root cause here.  

Thankfully Samba objects pretty fast when that conflicting SID is
created, but by this stage it is frustrating, as we stop being able to
add users.

If that is confirmed to be the case, the only end-user fix would be a
demote and re-join, it would be nice if we could instead have a dbcheck
rule that compared rIDPreviousAllocationPool on our DC with the
rIDAllocationPool of every other DC.  Still not actually enough to
prove this won't happen, but all we can do given
that rIDPreviousAllocationPool is FLAG_ATTR_NOT_REPLICATED.

Andrew Bartlett

> 
> > 
> > Thanks.
> > 
> 
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

On Wed, 2021-06-02 at 08:24 +1200, Andrew Bartlett via samba
wrote:
> On Tue, 2021-06-01 at 17:31 +0100, Rowland penny via samba wrote:
> > On 01/06/2021 17:07, Marco Gaiarin via samba wrote:
> > > Doing some health check on my samba AD domain, i've got this:
> > > 
> > >   root at vdcpp1:~# samba-tool dbcheck --cross-ncs
> > >   Checking 5173 objects
> > >   [... some warnings...]
> > >   SID S-1-5-21-160080369-3601385002-3131615632-2100 for
> > > CN=ENRICO,OU=Computers,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=i
> > > t
> > > conflicts with our current RID set in CN=RID
> > > Set,CN=VDCPP1,OU=Domain Controllers,DC=ad,DC=fvg,DC=lnf,DC=it
> > >   Please use --fix to fix these errors
> > >   Checked 5173 objects (1 errors)
> > > 
> > > 2) it is safe to use '--fix'? Or, because
'ENRICO' is a simple
> > > windows
> > >   pc, it is safer to simply delete 'ENRICO' computer
account and
> > > rejoin
> > >   it?
> > 
For now just ignore it as I think we might have a bug, see below. 
> > Try '--fix' first, you can always fall back to leaving the
domain
> > and 
> > rejoining if it doesn't work.
> 
> Thanks Rowland, this explains things very well. 
> 
> As background, which should probably go into the wiki some day, with
> the above:
> 
> The 'fix' will advance the local RID allocation state in ridNextRid
> attribute until the conflict is resolved.
> 
> However this should not ever have happened, if there was only ever
> one
> RID master the pools should never have overlapped and it should have
> been impossible for this to happen.  
> 
> Stealing RID master roles would be one way to get into this muddle,
> as
> would an improper domain restore.  If neither of these have happened,
> some investigation might be worthwhile.
If that is the case, then see 
https://gitlab.com/samba-team/samba/-/merge_requests/1986#note_590466438

This could very likely be a bug, thankfully one with a fix coming, and
without the fix the 'cure' would just burn a full RID pool to get to
the start of the next one.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions