Andrew Bartlett
2024-May-21 19:59 UTC
[Samba] No RID Set found for this server. Can't self-allocate
On Tue, 2024-05-21 at 18:24 +0200, Felipe Mart?nez Hermo via samba wrote:> Hello, everybody. > > > I have a Samba domain spread over 19 offices, 5 of them have a > domain > controller of their own. > > Some of these DC work fine now that I have a quite homogeneous set > of > samba versions. Most of them are Debian 11 with samba 4.17. > > The last two DC added (in different offices) have joined the domain > without problems, but both have the same problem. The can't find a > RID set: > > No RID Set found for this server: CN=COR-DC2,OU=Domain > Controllers,DC=my,DC=domain, and we are not the RID Master (so can > not > self-allocate) > > This means that they can't create any new objects, so every time I > need > to add a new computer or create a user, I have to take down these > servers and let the objects be created on the "healthy" servers.I suspect the new servers can't reach the RID master. Once the servers can reach the RID Master, try creating a user again, it may fail but should trigger getting a RID pool. Sadly we don't seem to have a way to trigger this manually with a samba-tool DRS command, which is an oversight.> I have checked Andrew's answer here: > > https://lists.samba.org/archive/samba/2018-May/215621.html > > > He says that they eventually they will find a RID set, but it has > been > long enough and they don't seem to get a RID set.The note about join-time is correct, except it is possible to join without creating a RID set, if you didn't happen to join to the RID master. (But we reduced these errors significantly by making it as proactive as possible). Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Felipe MartÃnez Hermo
2024-May-22 16:11 UTC
[Samba] No RID Set found for this server. Can't self-allocate
Hi, there I have been checking connections between my servers, trying to find the reason why my trouble server (VIG-DC3) does not reach the RID Madster. I have to describe my topology a little better. These are my servers: (Root) SAMBADC -> FSMO Roles Owner, including RID Master (First level node) STG-DC -> Syncs correctly with SAMBADC (samba-tool drs replicate reports successful) (Second level nodes) OUR-DC (DOES have a RID set). Replicates with both SAMBADC and STG-DC ==================================samba-tool drs replicate our-dc sambadc dc=ugt,dc=ldap Replicate from sambadc to our-dc was successful. samba-tool drs replicate our-dc sambadc dc=ForestDnsZones,dc=ugt,dc=ldap Replicate from sambadc to our-dc was successful. samba-tool drs replicate our-dc sambadc dc=DomainDnsZones,dc=ugt,dc=ldap Replicate from sambadc to our-dc was successful. samba-tool drs replicate our-dc sambadc cn=configuration,dc=ugt,dc=ldap Replicate from sambadc to our-dc was successful. samba-tool drs replicate our-dc sambadc cn=Schema,cn=configuration,dc=ugt,dc=ldap Replicate from sambadc to our-dc was successful. ================================== VIG-DC3 (does NOT have a RID set). Replicates with STG-DC, fails to replicate with SAMBA-DC ==================================samba-tool drs replicate vig-dc3 stg-dc dc=ugt,dc=ldap Replicate from stg-dc to vig-dc3 was successful. samba-tool drs replicate vig-dc3 stg-dc dc=ForestDnsZones,dc=ugt,dc=ldap Replicate from stg-dc to vig-dc3 was successful. samba-tool drs replicate vig-dc3 stg-dc dc=DomainDnsZones,dc=ugt,dc=ldap Replicate from stg-dc to vig-dc3 was successful. samba-tool drs replicate vig-dc3 stg-dc cn=configuration,dc=ugt,dc=ldap Replicate from stg-dc to vig-dc3 was successful. samba-tool drs replicate vig-dc3 stg-dc cn=Schema,cn=configuration,dc=ugt,dc=ldap Replicate from stg-dc to vig-dc3 was successful. root at vig-dc3:~# adsync.sh sambadc vig-dc3 samba-tool drs replicate vig-dc3 sambadc dc=ugt,dc=ldap ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED') ? File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570, in run ??? drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) ? File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, in sendDsReplicaSync ??? raise drsException("DsReplicaSync failed %s" % estr) samba-tool drs replicate vig-dc3 sambadc dc=ForestDnsZones,dc=ugt,dc=ldap ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED') ? File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570, in run ??? drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) ? File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, in sendDsReplicaSync ??? raise drsException("DsReplicaSync failed %s" % estr) samba-tool drs replicate vig-dc3 sambadc dc=DomainDnsZones,dc=ugt,dc=ldap ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED') ? File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570, in run ??? drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) ? File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, in sendDsReplicaSync ??? raise drsException("DsReplicaSync failed %s" % estr) samba-tool drs replicate vig-dc3 sambadc cn=configuration,dc=ugt,dc=ldap ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED') ? File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570, in run ??? drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) ? File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, in sendDsReplicaSync ??? raise drsException("DsReplicaSync failed %s" % estr) samba-tool drs replicate vig-dc3 sambadc cn=Schema,cn=configuration,dc=ugt,dc=ldap ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED') ? File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570, in run ??? drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, source_dsa_guid, NC, req_options) ? File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, in sendDsReplicaSync ??? raise drsException("DsReplicaSync failed %s" % estr) ================================== The result if I run samba-tool drs replicate vig-dc3 sambadc dc=ugt,dc=ldap --full-sync is the same. Also, I have observed in the tool "Active Directory Sites and services" that when it's connected to SAMBADC it does not show server VIG-DC3, although it is listed as a domain controller in "AD Users and computers". However, if "AD Sites and services" is connected to STG-DC it does show VIG-DC3 correctly. The objectGUID CNAME record exists on both servers SAMBADC and STG-DC Thanks in advance, Felipe El 21/5/24 a las 21:59, Andrew Bartlett escribi?:> On Tue, 2024-05-21 at 18:24 +0200, Felipe Mart?nez Hermo via samba > wrote: >> Hello, everybody. >> >> >> I have a Samba domain spread over 19 offices, 5 of them have a >> domain >> controller of their own. >> >> Some of these DC work fine now that I have a quite homogeneous set >> of >> samba versions. Most of them are Debian 11 with samba 4.17. >> >> The last two DC added (in different offices) have joined the domain >> without problems, but both have the same problem. The can't find a >> RID set: >> >> No RID Set found for this server: CN=COR-DC2,OU=Domain >> Controllers,DC=my,DC=domain, and we are not the RID Master (so can >> not >> self-allocate) >> >> This means that they can't create any new objects, so every time I >> need >> to add a new computer or create a user, I have to take down these >> servers and let the objects be created on the "healthy" servers. > > I suspect the new servers can't reach the RID master. > > Once the servers can reach the RID Master, try creating a user again, > it may fail but should trigger getting a RID pool. > > Sadly we don't seem to have a way to trigger this manually with a > samba-tool DRS command, which is an oversight. > >> I have checked Andrew's answer here: >> >> https://lists.samba.org/archive/samba/2018-May/215621.html >> >> >> He says that they eventually they will find a RID set, but it has >> been >> long enough and they don't seem to get a RID set. > The note about join-time is correct, except it is possible to join > without creating a RID set, if you didn't happen to join to the RID > master. (But we reduced these errors significantly by making it as > proactive as possible). > > Andrew Bartlett > >-- Carta Felipe Mart?nez Hermo Servizos Inform?ticos UGT Galicia 981 57 71 71 *Uni?n Xeral de Traballadoras e Traballadores* Miguel Ferro Caaveiro, 12 - 15707, Santiago de Compostela <https://www.instagram.com/ugt_galicia/?hl=es><https://www.facebook.com/ugtgalicia?ref=hl><https://www.youtube.com/channel/UCvmQas6GB5fWAuxc1UM8XVg><https://twitter.com/UGT_Galicia>www.ugtgalicia.org <http://www.ugtgalicia.org> -- Este mensaje y los ficheros anexos que pueda contener son confidenciales. Los mismos pueden contener informaci?n reservada que no puede ser difundida. Si usted ha recibido este correo por error, tenga la amabilidad de eliminarlo de su sistema. No deber? copiar el mensaje ni divulgar su contenido.Su direcci?n de correo electr?nico, junto a sus datos personales recibidos, ser?n gestionados por UGT Galicia con la finalidad de la gesti?n de la comunicaci?n recibida y el contacto con usted, y se adoptar?n sobre los mismos las medidas de seguridad oportunas en garant?a del RGPD y la LOPDGDD. Para cualquier informaci?n adicional o cuesti?n relacionada con Protecci?n de Datos, dir?jase a dpo at galicia.ugt.org o a nuestras Pol?ticas de Privacidad ubicadas en www.ugt.es/clausulas-rgpd