[Samba] Duplicate ObjectSid values

[Rowland penny]

On 17/05/16 12:11, ash-samba at comtek.co.uk wrote:
>
>> G'Day,
>>
>> This is a serious situation.  What it means is that the nextRid value 
>> for that DC points at a user account that already exists, so when we 
>> go to create it, the create fails.
> I've just looked at the LDAP output, and nextRid is 1000 for both dn: 
> CN=Builtin,DC=chester-dc,etc and for dn: DC=chester-dc,etc

Same here.

>
> The most recent successful new user (that I'm aware of) is objectSid: 
> S-1-5-21-2702589905-558746101-3641499263-2825
>
> I can't see any objectSid entries which end in 1000 though. The lowest 
> one we have is S-1-5-21-2702589905-558746101-3641499263-1101
>> That, and the other issue, suggests you have had some serious DB 
>> corruption, and this may not be the only issues.  Does a full dbcheck 
>> pass? (Not just the reindex).
> dbcheck works on empire.
>> Is there another DC that still works, that you can replicate from? 
>> (but you suggested other issues I think).
>
> We can successfully "/usr/bin/samba-tool user add" with alaska (a 
> machine located on another continent, with a quite unreliable link!), 
> and that gives us an account with 
> S-1-5-21-2702589905-558746101-3641499263-7125 on -both- alaska and 
> empire, so there is clearly some amount of working replication. 
> Confusingly, after doing this nextRid is still 1000 on both machines.

This could be because you are looking at the wrong attribute in the 
wrong place.
Try looking at the object 'CN=RID Set,CN=ALASKA,OU=Domain 
Controllers,DC=CHESTER-DC,DC=EXAMPLE,DC=COM' and the attribute 
'rIDNextRID' it contains.

Rowland

>
> Creating a new local DC (and decommissioning empire) would be a good 
> solution for us. I can add a new DC (v-ward) by specifying 
> --server=alaska.chester-dc, and I get no errors in the process. The 
> samba process on v-ward isn't working, though. I'm still trying to 
> debug this (currently it isn't even listening to port 389).
>
>