Improving our RID Set Handling
Andrew Bartlett
abartlet at samba.org
Thu Nov 3 04:05:29 UTC 2016
On Tue, 2016-11-01 at 21:21 +1300, Andrew Bartlett wrote:
> There are two important bugs in Samba's handling of RID Sets that my
> team at Catalyst has been working on.
>
> "No RID Set DN - Failed to add RID Set CN=RID Set"
> https://bugzilla.samba.org/show_bug.cgi?id=9954 is as you can tell by
> the number, really old, but we finally understand it:
>
>
> Samba joins a domain, and joins a DC that is not the RID Master.
>
> After startup, because the new server has no RID Set, it attempts to
> contact the RID Master to get one. If that fails, it can't add
> users.
>
> If Samba is later made the RID master by force (seizing the role),
> the
> automatic task to create a RID set won't operate.
>
> Instead, the creation of the first user should create the RID set,
> but
> because that is an LDAP user in this case, not via samba-tool the
> operation is not done 'as system', so it fails.
>
> This effectively prevents joining new machines, additional domain
> controllers or adding users to the domain, rendering it inert.
Patches for this issue are attached. There are extensive tests,
including for dbcheck rules to confirm that no duplicate RID allocation
is expected (ie, bump the rIDNextRid value).
Garming (in particular) please review carefully as I've had to fix up
quite a few things once we finished the test today.
> The second issue is
> "RID allocation from moved RID master fails with missing mandatory
> attribute"
> https://bugzilla.samba.org/show_bug.cgi?id=12394
>
> This prevents the allocation of new RID sets from a DC that has
> become
> the RID Manager, but wasn't always in that role. The case of non-
> replicated mandatory attributes wasn't considered previously.
Patches for this have landed.
Thanks,
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-TODO-SIGNOFF-tests-ridalloc_exop-Add-a-new-suite-of-.patch
Type: text/x-patch
Size: 38955 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0001-TODO-SIGNOFF-tests-ridalloc_exop-Add-a-new-suite-of--0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-dsdb-Add-python-hooks-to-allocate-a-RID-set-and-allo.patch
Type: text/x-patch
Size: 9106 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0002-dsdb-Add-python-hooks-to-allocate-a-RID-set-and-allo-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-dbcheck-confirm-RID-Set-presence-and-consistency.patch
Type: text/x-patch
Size: 9074 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0003-dbcheck-confirm-RID-Set-presence-and-consistency-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-dbcheck-Correctly-initialise-keep_transaction-in-mis.patch
Type: text/x-patch
Size: 1024 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0004-dbcheck-Correctly-initialise-keep_transaction-in-mis-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-dsdb-Create-RID-Set-as-SYSTEM.patch
Type: text/x-patch
Size: 1591 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0005-dsdb-Create-RID-Set-as-SYSTEM-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-dsdb-Rework-DSDB-code-to-use-WERROR.patch
Type: text/x-patch
Size: 18235 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0006-dsdb-Rework-DSDB-code-to-use-WERROR-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-dsdb-Catch-errors-in-extended-operations-like-alloca.patch
Type: text/x-patch
Size: 3693 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0007-dsdb-Catch-errors-in-extended-operations-like-alloca-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-python-create-NTSTATUSError-HRESULTError-and-WERRORE.patch
Type: text/x-patch
Size: 3532 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0008-python-create-NTSTATUSError-HRESULTError-and-WERRORE-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0009-pyerrors-Add-PyErr_Set-WERROR-HRESULT-NTSTATUS-_and_.patch
Type: text/x-patch
Size: 1518 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0009-pyerrors-Add-PyErr_Set-WERROR-HRESULT-NTSTATUS-_and_-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0010-python-Add-DsExtendedError-Exception.patch
Type: text/x-patch
Size: 1674 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0010-python-Add-DsExtendedError-Exception-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0011-python-libnet-Use-new-NTSTATUSError-WERRORError-and-.patch
Type: text/x-patch
Size: 8836 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0011-python-libnet-Use-new-NTSTATUSError-WERRORError-and--0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0012-join.py-Attempt-to-allocate-a-RID-Set-during-the-joi.patch
Type: text/x-patch
Size: 3758 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0012-join.py-Attempt-to-allocate-a-RID-Set-during-the-joi-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0013-samba_tool-fsmo-Allocate-RID-Set-when-seizing-RID-ma.patch
Type: text/x-patch
Size: 3104 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0013-samba_tool-fsmo-Allocate-RID-Set-when-seizing-RID-ma-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0014-selftest-Rework-ridalloc-test-not-to-assume-auto-cre.patch
Type: text/x-patch
Size: 4855 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0014-selftest-Rework-ridalloc-test-not-to-assume-auto-cre-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0015-dsdb-Remove-on-demand-creation-of-the-RID-Set.patch
Type: text/x-patch
Size: 2231 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/38f4967b/0015-dsdb-Remove-on-demand-creation-of-the-RID-Set-0001.bin>
More information about the samba-technical
mailing list