Improving our RID Set Handling
abartlet at samba.org
Tue Nov 1 08:21:02 UTC 2016
There are two important bugs in Samba's handling of RID Sets that my
team at Catalyst has been working on.
"No RID Set DN - Failed to add RID Set CN=RID Set"
https://bugzilla.samba.org/show_bug.cgi?id=9954 is as you can tell by
the number, really old, but we finally understand it:
Samba joins a domain, and joins a DC that is not the RID Master.
After startup, because the new server has no RID Set, it attempts to
contact the RID Master to get one. If that fails, it can't add users.
If Samba is later made the RID master by force (seizing the role), the
automatic task to create a RID set won't operate.
Instead, the creation of the first user should create the RID set, but
because that is an LDAP user in this case, not via samba-tool the
operation is not done 'as system', so it fails.
This effectively prevents joining new machines, additional domain
controllers or adding users to the domain, rendering it inert.
The second issue is
"RID allocation from moved RID master fails with missing mandatory
This prevents the allocation of new RID sets from a DC that has become
the RID Manager, but wasn't always in that role. The case of non-
replicated mandatory attributes wasn't considered previously.
In both cases the fixes are pretty simple, the tests needed to prove
them reasonably complex, and the thinking required to understand even
how this all happened slightly mind-bending. Hopefully we can get
consensus to backport these once we land the patches in master, as we
have suffered from these issues since Samba 4.0 and earlier.
In the meantime, thankfully, sites that don't move the RID manager
around will likely never hit this.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical