Improving our RID Set Handling
garming at catalyst.net.nz
garming at catalyst.net.nz
Thu Nov 3 09:06:34 UTC 2016
The new tests are good, I was expecting you would change the existing
dbcheck code.
For this test:
def test_join_time_ridalloc(self):
It joins fsmo_owner['dns_name'], but demotes from
fsmo_not_owner['dns_name']. Is that going to cause problems?
There are also two RIDALLOCTEST6, as well as copy pasted comments.
I'm curious as to exactly how 'dsdb: Remove on-demand creation of the
RID Set' results in passing the test (removal of the knownfail entry).
That doesn't seem entirely clear.
Cheers,
Garming
On 2016-11-03 17:05, Andrew Bartlett wrote:
> On Tue, 2016-11-01 at 21:21 +1300, Andrew Bartlett wrote:
>> There are two important bugs in Samba's handling of RID Sets that my
>> team at Catalyst has been working on.
>>
>> "No RID Set DN - Failed to add RID Set CN=RID Set"
>> https://bugzilla.samba.org/show_bug.cgi?id=9954 is as you can tell by
>> the number, really old, but we finally understand it:
>>
>>
>> Samba joins a domain, and joins a DC that is not the RID Master.
>>
>> After startup, because the new server has no RID Set, it attempts to
>> contact the RID Master to get one. If that fails, it can't add
>> users.
>>
>> If Samba is later made the RID master by force (seizing the role),
>> the
>> automatic task to create a RID set won't operate.
>>
>> Instead, the creation of the first user should create the RID set,
>> but
>> because that is an LDAP user in this case, not via samba-tool the
>> operation is not done 'as system', so it fails.
>>
>> This effectively prevents joining new machines, additional domain
>> controllers or adding users to the domain, rendering it inert.
>
> Patches for this issue are attached. There are extensive tests,
> including for dbcheck rules to confirm that no duplicate RID allocation
> is expected (ie, bump the rIDNextRid value).
>
> Garming (in particular) please review carefully as I've had to fix up
> quite a few things once we finished the test today.
>
>> The second issue is
>> "RID allocation from moved RID master fails with missing mandatory
>> attribute"
>> https://bugzilla.samba.org/show_bug.cgi?id=12394
>>
>> This prevents the allocation of new RID sets from a DC that has
>> become
>> the RID Manager, but wasn't always in that role. The case of non-
>> replicated mandatory attributes wasn't considered previously.
>
> Patches for this have landed.
>
> Thanks,
More information about the samba-technical
mailing list