Improving our RID Set Handling
abartlet at samba.org
Fri Nov 4 10:26:15 UTC 2016
On Thu, 2016-11-03 at 17:05 +1300, Andrew Bartlett wrote:
> On Tue, 2016-11-01 at 21:21 +1300, Andrew Bartlett wrote:
> > There are two important bugs in Samba's handling of RID Sets that
> > my
> > team at Catalyst has been working on.
> > "No RID Set DN - Failed to add RID Set CN=RID Set"
> > https://bugzilla.samba.org/show_bug.cgi?id=9954 is as you can tell
> > by
> > the number, really old, but we finally understand it:
> > Samba joins a domain, and joins a DC that is not the RID Master.
> > After startup, because the new server has no RID Set, it attempts
> > to
> > contact the RID Master to get one. If that fails, it can't add
> > users.
> > If Samba is later made the RID master by force (seizing the role),
> > the
> > automatic task to create a RID set won't operate.
> > Instead, the creation of the first user should create the RID set,
> > but
> > because that is an LDAP user in this case, not via samba-tool the
> > operation is not done 'as system', so it fails.
> > This effectively prevents joining new machines, additional domain
> > controllers or adding users to the domain, rendering it inert.
> Patches for this issue are attached. There are extensive tests,
> including for dbcheck rules to confirm that no duplicate RID
> is expected (ie, bump the rIDNextRid value).
Patches for this are in master. However a patch to have us do a RID
Set allocation at the domain join didn't land, as it makes Samba loose
a race in between adding 1000 users on the not-rid-master and
refreshing the 500-at-a-time RID set.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical