user unable to create a user in a replicated from w2k3 server

Matthieu Patou mat at samba.org
Mon Jul 5 22:28:24 MDT 2010 

  On 06/07/2010 02:35, Andrew Bartlett wrote:
> On Tue, 2010-07-06 at 01:32 +0400, Matthieu Patou wrote:
>> Hello tridge, Andrew, Metze,
>>
>> I was with plaerzen on IRC, he managed to update his w2k server to w2k3
>> and then made s4 vampire it.
>>
>> He is now unable to create user on the S4 server.
>>
>> A level 10 log is here:
>>
>> http://pastebin.com/Werib9g9
>>
>> I made some analysis my conclusion is that he has this pb: msg:
>> ../dsdb/samdb/ldb_modules/ridalloc.c:450: No RID Set DN - Remote RID Set
>> allocation needs refresh.
>>
>> Then we created a sample ldif file to create more easily the user from
>> command line :
>>
>> ldbmodify -H ldap://s4ldap /tmp/t.ldif -k 1
>>
>> We get:
>> ERR: (Unwilling to perform) "LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
>> <00002035: Unwilling to perform -
>> ../dsdb/samdb/ldb_modules/ridalloc.c:450:  No RID Set DN - Remote RID
>> Set allocation needs refresh>  <>" on DN CN=testsix,CN=Users,DC=....
> Yeah, something has broken about our remote RID set allocation.  A good
> test for this would be to run the RPC-SAMR-LARGE-DC test against our
> vampire_dc in 'make test'.
>
>> The same command against the w2k3 dc works ...
>>
>> I put more trace and came to the conclusion that this line is failing
>> "if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), fsmo_role_dn) != 0) {"
>>
>> Indeed we have this:
>>
>> ntds: CN=NTDS
>> Settings,CN=DEV-TEADC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=winteal,DC=tundraeng,DC=com
>>
>>
>> fsmo: CN=NTDS Settings,CN=DEV-TEDC3,CN=Servers,CN=Default-First-
>> Site-Name,CN=Sites,CN=Configuration,DC=winteal,DC=tundraeng,DC=com
>>
>>
>> So clearly the DN are different ....  to my mind the test is not good as
>> globably the samdb_ntds_settings_dn is a search for dsServiceName on the
>> rootdse and it seems that for each server it returns only the ntds of
>> this server, so the test is likely to work only on the server which is
>> rid master.
> Correct.  We can only do this locally if we are the RID Master, if not,
> we need to ask the RID Master to allocate us some RIDs.
Well given this code:
         if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), fsmo_role_dn) 
!= 0) {
                 ridalloc_poke_rid_manager(module);
                 ldb_asprintf_errstring(ldb, "Remote RID Set allocation 
needs refresh");
                 talloc_free(tmp_ctx);
                 return LDB_ERR_UNWILLING_TO_PERFORM;
         }

I understand that this happens all the time on any DC that is not a RID 
master, is it the wanted behavior ?
If so I suppose that when we poke the RID manager, or more precisely 
when we receive the answer, that we should create a RID Set in return.

IT seems that we do not do this ....

-- 
Matthieu Patou
Samba Team        http://samba.org

More information about the samba-technical mailing list