Improving our RID Set Handling

Andrew Bartlett abartlet at
Tue Nov 1 08:21:02 UTC 2016

There are two important bugs in Samba's handling of RID Sets that my
team at Catalyst has been working on.

"No RID Set DN - Failed to add RID Set CN=RID Set" is as you can tell by
the number, really old, but we finally understand it:

Samba joins a domain, and joins a DC that is not the RID Master.  

After startup, because the new server has no RID Set, it attempts to
contact the RID Master to get one.  If that fails, it can't add users. 

If Samba is later made the RID master by force (seizing the role), the
automatic task to create a RID set won't operate.

Instead, the creation of the first user should create the RID set, but
because that is an LDAP user in this case, not via samba-tool the
operation is not done 'as system', so it fails. 

This effectively prevents joining new machines, additional domain
controllers or adding users to the domain, rendering it inert. 

The second issue is 
"RID allocation from moved RID master fails with missing mandatory

This prevents the allocation of new RID sets from a DC that has become
the RID Manager, but wasn't always in that role.  The case of non-
replicated mandatory attributes wasn't considered previously. 

In both cases the fixes are pretty simple, the tests needed to prove
them reasonably complex, and the thinking required to understand even
how this all happened slightly mind-bending.  Hopefully we can get
consensus to backport these once we land the patches in master, as we
have suffered from these issues since Samba 4.0 and earlier.  

In the meantime, thankfully, sites that don't move the RID manager
around will likely never hit this.

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list