Improving our RID Set Handling

garming at garming at
Thu Nov 3 09:06:34 UTC 2016

The new tests are good, I was expecting you would change the existing 
dbcheck code.

For this test:
     def test_join_time_ridalloc(self):

It joins fsmo_owner['dns_name'], but demotes from 
fsmo_not_owner['dns_name']. Is that going to cause problems?

There are also two RIDALLOCTEST6, as well as copy pasted comments.

I'm curious as to exactly how 'dsdb: Remove on-demand creation of the 
RID Set' results in passing the test (removal of the knownfail entry). 
That doesn't seem entirely clear.



On 2016-11-03 17:05, Andrew Bartlett wrote:
> On Tue, 2016-11-01 at 21:21 +1300, Andrew Bartlett wrote:
>> There are two important bugs in Samba's handling of RID Sets that my
>> team at Catalyst has been working on.
>> "No RID Set DN - Failed to add RID Set CN=RID Set"
>> is as you can tell by
>> the number, really old, but we finally understand it:
>> Samba joins a domain, and joins a DC that is not the RID Master.  
>> After startup, because the new server has no RID Set, it attempts to
>> contact the RID Master to get one.  If that fails, it can't add
>> users. 
>> If Samba is later made the RID master by force (seizing the role),
>> the
>> automatic task to create a RID set won't operate.
>> Instead, the creation of the first user should create the RID set,
>> but
>> because that is an LDAP user in this case, not via samba-tool the
>> operation is not done 'as system', so it fails. 
>> This effectively prevents joining new machines, additional domain
>> controllers or adding users to the domain, rendering it inert. 
> Patches for this issue are attached.  There are extensive tests,
> including for dbcheck rules to confirm that no duplicate RID allocation
>  is expected (ie, bump the rIDNextRid value).
> Garming (in particular) please review carefully as I've had to fix up
> quite a few things once we finished the test today.
>> The second issue is 
>> "RID allocation from moved RID master fails with missing mandatory
>> attribute"
>> This prevents the allocation of new RID sets from a DC that has
>> become
>> the RID Manager, but wasn't always in that role.  The case of non-
>> replicated mandatory attributes wasn't considered previously. 
> Patches for this have landed.
> Thanks,

More information about the samba-technical mailing list