[Samba] Samba4 join new DC: No RID Set DN - Failed to add RID Set
Andrew Bartlett
abartlet at samba.org
Tue Jul 23 14:37:02 MDT 2013
On Tue, 2013-07-23 at 20:38 +0100, Jonathan Hunter wrote:
> Hi,
>
> In time honoured fashion I am replying to my own post, as I think I have
> figured out a workaround to my issue. Hopefully this will help others -
> here's what I did.
>
> On 22 July 2013 22:01, Jonathan Hunter <jmhunter1 at gmail.com> wrote:
>
> > Now, I try to join the new server (CentOS 6.4 clean install; Samba 4.0.7
> > from source), but I get the following:
> >
> [...]
>
> > ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM
> > - <00002035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set
> > DN - Failed to add RID Set CN=RID Set,CN=EXISTING-DC,OU=Domain
> > Controllers,DC=mydomain,DC=org - objectclass: object class 'rIDSet' is
> > system-only, rejecting creation of 'CN=RID Set,CN=EXISTING-DC,OU=Domain
> > Controllers,DC=mydomain,DC=org'!> <>
> >
>
> >
> After some careful googling, and trying to figure out what the heck a RID
> Set was, and why it couldn't be added, I discovered it was a property of a
> domain controller, and I think I should really have one against my existing
> DC - but I didn't.
>
> First step was ADSI Edit, to create it - but then I discovered that whilst
> ADSI Edit can create many things, a RID Set is not one of them.
>
> Second step was LDIFDE, I exported the RID Set from my other DC (in the
> other site), edited the LDIF to make a new RID Set for my existing DC - but
> couldn't import it ("The server is unwilling to process the request")
>
> Finally I hit upon the plan of transferring the RIDAllocationMaster FSMO
> role across between the DCs:
>
> second-existing-dc# samba-tool fsmo seize --role=rid
> Attempting transfer...
> FSMO transfer of 'rid' role successful
> ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify
> message must have elements/attributes!
>
> The transfer was successful, but some kind of error occurred.. (!)
The error is a red herring, resolved in current versions. There wasn't
actually an error :-)
> But, I was able to transfer the role back to the first DC - and this time,
> a RID Set finally appeared in AD! I did, however, get exactly the same
> error. This happened however many times I transfer the role, and for any
> role (I tried all of them :-))
>
> existing-dc# samba-tool fsmo seize --role=rid
> Attempting transfer...
> FSMO transfer of 'rid' role successful
> ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify
> message must have elements/attributes!
>
> Still.. I have now been able to successfully join my domain - which does
> solve my initial problem, so I'm happy there at least.
>
> (Interestingly, my shiny new DC does not have a RID Set.. I'm not yet sure
> if this is good, or bad! :))
A DC should ask for a RID set to be created shortly after starting up,
and certainly an attempt to create users is made.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list