Web lists-archives.com

Re: [Samba] Samba 4.7.9 dbcheck error




On Wed, 2018-09-26 at 14:47 +0100, Rowland Penny via samba wrote:
> On Wed, 26 Sep 2018 15:28:42 +0200
> Daniel Jordan <d.jordan@xxxxxx> wrote:
> 
> > 
> > 
> > dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
> > '(objectClass=domain)' objectSid
> > # record 1
> > dn: DC=xx,DC=xx,DC=xx
> > objectSid: S-1-5-21-3258148492-1502286889-3538134041
> > 
> > 
> > 
> > dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb 
> > '(&(objectClass=rIDSet)(cn=RID Set))' rIDAllocationPool
> > # record 1
> > dn: CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> > rIDAllocationPool: 2100-2599
> > 
> > # record 2
> > dn: CN=RID Set,CN=DC02,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> > rIDAllocationPool: 1600-2099
> Strange, you originally posted this SID-RID:
> 
> SID S-1-5-21-3258148492-1502286889-3538134041-1601
> 
> For: CN=FS01,OU=Server,DC=xx,DC=xx,DC=xx
> 
> The error message said :
> 
> conflicts with our current RID set in
> CN=RID Set,CN=DC01,OU=Domain Controllers,DC=xx,DC=xx,DC=xx
> 
> Which is '2100-2599', so it does conflict, but it matches '1600-2099'
> from CN=DC02
> 
> Do you have two DC's ?
> Have you tried transferring the FSMO roles to DC02 ?

I don't think changing FSMO roles would change what is going on here. 

I suspect a dbcheck bug.  

If it ins't, the typical way to get a bug like this would be to steal
the RID master between servers, rather than a proper transfer.  The
facts don't suggest this here, but for others reading this later if two
servers think they are a RID master, something similar to this could
happen (but more likely replication will fail with an index conflict).

Rowland and Daniel,

Thank you so much for chasing up the details here, and replying!  We
just need one more detail, which is the current rIDNextRID value in
each of those RID Set objects.

Then I hope I can play the logic though the code and figure out what we
got wrong.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba