user unable to create a user in a replicated from w2k3 server

Matthieu Patou mat at samba.org
Mon Jul 5 22:38:24 MDT 2010 

  On 06/07/2010 08:28, Matthieu Patou wrote:
>  On 06/07/2010 02:35, Andrew Bartlett wrote:
>> On Tue, 2010-07-06 at 01:32 +0400, Matthieu Patou wrote:
>>> Hello tridge, Andrew, Metze,
>>>
>>> I was with plaerzen on IRC, he managed to update his w2k server to w2k3
>>> and then made s4 vampire it.
>>>
>>> He is now unable to create user on the S4 server.
>>>
>>> A level 10 log is here:
>>>
>>> http://pastebin.com/Werib9g9
>>>
>>> I made some analysis my conclusion is that he has this pb: msg:
>>> ../dsdb/samdb/ldb_modules/ridalloc.c:450: No RID Set DN - Remote RID 
>>> Set
>>> allocation needs refresh.
>>>
>>> Then we created a sample ldif file to create more easily the user from
>>> command line :
>>>
>>> ldbmodify -H ldap://s4ldap /tmp/t.ldif -k 1
>>>
>>> We get:
>>> ERR: (Unwilling to perform) "LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
>>> <00002035: Unwilling to perform -
>>> ../dsdb/samdb/ldb_modules/ridalloc.c:450:  No RID Set DN - Remote RID
>>> Set allocation needs refresh> <>" on DN CN=testsix,CN=Users,DC=....
>> Yeah, something has broken about our remote RID set allocation.  A good
>> test for this would be to run the RPC-SAMR-LARGE-DC test against our
>> vampire_dc in 'make test'.
>>
>>> The same command against the w2k3 dc works ...
>>>
>>> I put more trace and came to the conclusion that this line is failing
>>> "if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), fsmo_role_dn) != 0) {"
>>>
>>> Indeed we have this:
>>>
>>> ntds: CN=NTDS
>>> Settings,CN=DEV-TEADC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=winteal,DC=tundraeng,DC=com 
>>>
>>>
>>>
>>> fsmo: CN=NTDS Settings,CN=DEV-TEDC3,CN=Servers,CN=Default-First-
>>> Site-Name,CN=Sites,CN=Configuration,DC=winteal,DC=tundraeng,DC=com
>>>
>>>
>>> So clearly the DN are different ....  to my mind the test is not 
>>> good as
>>> globably the samdb_ntds_settings_dn is a search for dsServiceName on 
>>> the
>>> rootdse and it seems that for each server it returns only the ntds of
>>> this server, so the test is likely to work only on the server which is
>>> rid master.
>> Correct.  We can only do this locally if we are the RID Master, if not,
>> we need to ask the RID Master to allocate us some RIDs.
> Well given this code:
>         if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), fsmo_role_dn) 
> != 0) {
>                 ridalloc_poke_rid_manager(module);
>                 ldb_asprintf_errstring(ldb, "Remote RID Set allocation 
> needs refresh");
>                 talloc_free(tmp_ctx);
>                 return LDB_ERR_UNWILLING_TO_PERFORM;
>         }
>
> I understand that this happens all the time on any DC that is not a 
> RID master, is it the wanted behavior ?
> If so I suppose that when we poke the RID manager, or more precisely 
> when we receive the answer, that we should create a RID Set in return.
>
> IT seems that we do not do this ....
>
Could it be that when s4 is not RID manager it's up to RID manager to 
create the RID set and so we are failing to ask the RID manager to do it 
for us  (or to interpret his message correctly)

Matthieu

-- 
Matthieu Patou
Samba Team        http://samba.org

More information about the samba-technical mailing list