[PATCH] Re: Improving our RID Set Handling
Andrew Bartlett
abartlet at samba.org
Thu Nov 3 04:11:17 UTC 2016
On Thu, 2016-11-03 at 17:05 +1300, Andrew Bartlett wrote:
> On Tue, 2016-11-01 at 21:21 +1300, Andrew Bartlett wrote:
> > There are two important bugs in Samba's handling of RID Sets that
> > my
> > team at Catalyst has been working on.
> >
> > "No RID Set DN - Failed to add RID Set CN=RID Set"
> > https://bugzilla.samba.org/show_bug.cgi?id=9954 is as you can tell
> > by
> > the number, really old, but we finally understand it:
> >
> >
> > Samba joins a domain, and joins a DC that is not the RID Master.
> >
> > After startup, because the new server has no RID Set, it attempts
> > to
> > contact the RID Master to get one. If that fails, it can't add
> > users.
> >
> > If Samba is later made the RID master by force (seizing the role),
> > the
> > automatic task to create a RID set won't operate.
> >
> > Instead, the creation of the first user should create the RID set,
> > but
> > because that is an LDAP user in this case, not via samba-tool the
> > operation is not done 'as system', so it fails.
> >
> > This effectively prevents joining new machines, additional domain
> > controllers or adding users to the domain, rendering it inert.
>
> Patches for this issue are attached. There are extensive tests,
> including for dbcheck rules to confirm that no duplicate RID
> allocation
> is expected (ie, bump the rIDNextRid value).
>
> Garming (in particular) please review carefully as I've had to fix up
> quite a few things once we finished the test today.
>
> > The second issue is
> > "RID allocation from moved RID master fails with missing mandatory
> > attribute"
> > https://bugzilla.samba.org/show_bug.cgi?id=12394
> >
> > This prevents the allocation of new RID sets from a DC that has
> > become
> > the RID Manager, but wasn't always in that role. The case of non-
> > replicated mandatory attributes wasn't considered previously.
>
> Patches for this have landed.
>
> Thanks,
Finally, here are two more patches, WITHOUT TESTS, that make us try and
get a RID Set at runtime, as well as a the times where we might expect
to need one.
I'm less convinced they are required now, but here they are
- allocate the rid set on a normal online transfer (but if we are able
to contact the rid master, surely we got one)
- allocate the rid set if we are the RID Manager (but the seize should
have done that, or the post-upgrade dbcheck).
Please don't push, but some thoughts welcome.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-drepl-Check-for-a-missing-RID-Set-on-the-RID-Master.patch
Type: text/x-patch
Size: 2166 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/b9f35518/0001-drepl-Check-for-a-missing-RID-Set-on-the-RID-Master.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-drepl-Check-for-a-missing-RID-Set-after-a-FSMO-Role-.patch
Type: text/x-patch
Size: 1289 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/b9f35518/0002-drepl-Check-for-a-missing-RID-Set-after-a-FSMO-Role-.bin>
More information about the samba-technical
mailing list