[PATCH] Re: Improving our RID Set Handling

Andrew Bartlett abartlet at samba.org
Thu Nov 3 04:11:17 UTC 2016

On Thu, 2016-11-03 at 17:05 +1300, Andrew Bartlett wrote:
> On Tue, 2016-11-01 at 21:21 +1300, Andrew Bartlett wrote:
> > There are two important bugs in Samba's handling of RID Sets that
> > my
> > team at Catalyst has been working on.
> > 
> > "No RID Set DN - Failed to add RID Set CN=RID Set"
> > https://bugzilla.samba.org/show_bug.cgi?id=9954 is as you can tell
> > by
> > the number, really old, but we finally understand it:
> > 
> > 
> > Samba joins a domain, and joins a DC that is not the RID Master.  
> > 
> > After startup, because the new server has no RID Set, it attempts
> > to
> > contact the RID Master to get one.  If that fails, it can't add
> > users. 
> > 
> > If Samba is later made the RID master by force (seizing the role),
> > the
> > automatic task to create a RID set won't operate.
> > 
> > Instead, the creation of the first user should create the RID set,
> > but
> > because that is an LDAP user in this case, not via samba-tool the
> > operation is not done 'as system', so it fails. 
> > 
> > This effectively prevents joining new machines, additional domain
> > controllers or adding users to the domain, rendering it inert. 
> Patches for this issue are attached.  There are extensive tests,
> including for dbcheck rules to confirm that no duplicate RID
> allocation
>  is expected (ie, bump the rIDNextRid value).  
> Garming (in particular) please review carefully as I've had to fix up
> quite a few things once we finished the test today.  
> > The second issue is 
> > "RID allocation from moved RID master fails with missing mandatory
> > attribute"
> > https://bugzilla.samba.org/show_bug.cgi?id=12394
> > 
> > This prevents the allocation of new RID sets from a DC that has
> > become
> > the RID Manager, but wasn't always in that role.  The case of non-
> > replicated mandatory attributes wasn't considered previously. 
> Patches for this have landed.
> Thanks,

Finally, here are two more patches, WITHOUT TESTS, that make us try and
get a RID Set at runtime, as well as a the times where we might expect
to need one.

I'm less convinced they are required now, but here they are
 - allocate the rid set on a normal online transfer (but if we are able
to contact the rid master, surely we got one)
 - allocate the rid set if we are the RID Manager (but the seize should
have done that, or the post-upgrade dbcheck). 

Please don't push, but some thoughts welcome.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-drepl-Check-for-a-missing-RID-Set-on-the-RID-Master.patch
Type: text/x-patch
Size: 2166 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/b9f35518/0001-drepl-Check-for-a-missing-RID-Set-on-the-RID-Master.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-drepl-Check-for-a-missing-RID-Set-after-a-FSMO-Role-.patch
Type: text/x-patch
Size: 1289 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161103/b9f35518/0002-drepl-Check-for-a-missing-RID-Set-after-a-FSMO-Role-.bin>

More information about the samba-technical mailing list