[Samba] unique index violation on objectSid

Tue Jun 28 11:05:38 UTC 2016

I'm understand, why I get error about unique index violation on objectSid:

samba-tool fsmo show
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,...

Last created object have objectSid
S-1-5-21-763247336-2482037999-3416227170-2001 (it is record for computer)
Last symbols is 2001, and last assigned RID is 2001:

[root at pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb CN="RID Set"
# record 3
dn: CN=RID Set,CN=PDC,OU=Domain Controllers,...
rIDNextRID: 2001
rIDPreviousAllocationPool: 1600-2099
rIDUsedPool: 1
rIDAllocationPool: 2600-3099

https://support.microsoft.com/en-us/kb/305475
RidNextRid The RID that was assigned to the last security principal that
was created on the local domain controller.
RidPreviousAllocationPool The pool from which RIDs are currently taken
RidAllocationPool Each domain controller has two pools: the one that
they are currently acting on, and the pool that they will use next. It
is the next pool

I think, next RID is 2002?
Try to search:
[root at pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=AD\,...
objectSid
dn: CN=username\0ADEL:a230f645-268d-4ea9-8993-da3ae7032b4a,CN=Deleted
Objects,DC=ad,...
objectSid: S-1-5-21-763247336-2482037999-3416227170-2002
it is deleted, but exists.

What I can do to solve my problem? May be change rIDNextRID to 2099 on
RID Master?

Valery

28.06.2016 10:00, Zhuchenko Valery:
> 27.06.2016 18:45, mathias dufresne:
>> Perhaps you don't have yet duplicate objectSid as that's not supposed to be
>> possible.
>> Rather than scripting something to look for objectSid used twice I would
>> start with dbcheck and other tools to verify that your database is
>> consistent and identical on all servers.
> 
> [root at pdc ~]# samba-tool dbcheck
> Checking 3346 objects
> Checked 3346 objects (0 errors)
> 
> [root at bdc ~]# samba-tool dbcheck
> Checking 3346 objects
> Checked 3346 objects (0 errors)
> 
> [root at dc46 ~]# samba-tool dbcheck
> Checking 3346 objects
> Checked 3346 objects (0 errors)
> 
> 
> [root at pdc ~]# samba-tool ldapcmp ldap://pdc ldap://bdc -Uadministrator
> --filter=msDS-NcType,serverState,subrefs,whenChanged
> Password for [administrator]:
> * Comparing [DOMAIN] context...
> * Objects to be compared: 3207
> * Result for [DOMAIN]: SUCCESS
> * Comparing [CONFIGURATION] context...
> * Objects to be compared: 1621
> * Result for [CONFIGURATION]: SUCCESS
> * Comparing [SCHEMA] context...
> * Objects to be compared: 1550
> * Result for [SCHEMA]: SUCCESS
> * Comparing [DNSDOMAIN] context...
> * Objects to be compared: 196
> * Result for [DNSDOMAIN]: SUCCESS
> * Comparing [DNSFOREST] context...
> * Objects to be compared: 19
> * Result for [DNSFOREST]: SUCCESS
> 
> [root at pdc ~]# samba-tool ldapcmp ldap://pdc ldap://dc46 -Uadministrator
> --filter=msDS-NcType,serverState,subrefs,whenChanged
> Password for [administrator]:
> * Comparing [DOMAIN] context...
> * Objects to be compared: 3207
> * Result for [DOMAIN]: SUCCESS
> * Comparing [CONFIGURATION] context...
> * Objects to be compared: 1621
> * Result for [CONFIGURATION]: SUCCESS
> * Comparing [SCHEMA] context...
> * Objects to be compared: 1550
> * Result for [SCHEMA]: SUCCESS
> * Comparing [DNSDOMAIN] context...
> * Objects to be compared: 196
> * Result for [DNSDOMAIN]: SUCCESS
> * Comparing [DNSFOREST] context...
> * Objects to be compared: 19
> * Result for [DNSFOREST]: SUCCESS
> 
>>
>> 2016-06-27 15:21 GMT+02:00 Zhuchenko Valery <zvn at belkam.com>:
>>
>>> Hi all!
>>>
>>> Today, after two years of production, I get this error:
>>>
>>> samba-tool user create test20160627 testpassword
>>>
>>> ERROR(ldb): Failed to add user 'test20160627':  -
>>> ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in
>>> CN=test20160627,CN=Users,DC=ad... - ../lib/ldb/ldb_tdb/ldb_index.c:1148:
>>> unique index violation on objectSid in CN=test20160627,CN=Users,DC=ad...
>>>
>>> Help me please, how to find which objectSid is not unique?
>>> I have 3 DC's on centos 7, samba 4.1 (I know, old version).
>>>
>>> Valery
> 