[Samba] Duplicate ObjectSid values
rpenny at samba.org
Tue May 17 12:14:46 UTC 2016
On 17/05/16 12:11, ash-samba at comtek.co.uk wrote:
>> This is a serious situation. What it means is that the nextRid value
>> for that DC points at a user account that already exists, so when we
>> go to create it, the create fails.
> I've just looked at the LDAP output, and nextRid is 1000 for both dn:
> CN=Builtin,DC=chester-dc,etc and for dn: DC=chester-dc,etc
> The most recent successful new user (that I'm aware of) is objectSid:
> I can't see any objectSid entries which end in 1000 though. The lowest
> one we have is S-1-5-21-2702589905-558746101-3641499263-1101
>> That, and the other issue, suggests you have had some serious DB
>> corruption, and this may not be the only issues. Does a full dbcheck
>> pass? (Not just the reindex).
> dbcheck works on empire.
>> Is there another DC that still works, that you can replicate from?
>> (but you suggested other issues I think).
> We can successfully "/usr/bin/samba-tool user add" with alaska (a
> machine located on another continent, with a quite unreliable link!),
> and that gives us an account with
> S-1-5-21-2702589905-558746101-3641499263-7125 on -both- alaska and
> empire, so there is clearly some amount of working replication.
> Confusingly, after doing this nextRid is still 1000 on both machines.
This could be because you are looking at the wrong attribute in the
Try looking at the object 'CN=RID Set,CN=ALASKA,OU=Domain
Controllers,DC=CHESTER-DC,DC=EXAMPLE,DC=COM' and the attribute
'rIDNextRID' it contains.
> Creating a new local DC (and decommissioning empire) would be a good
> solution for us. I can add a new DC (v-ward) by specifying
> --server=alaska.chester-dc, and I get no errors in the process. The
> samba process on v-ward isn't working, though. I'm still trying to
> debug this (currently it isn't even listening to port 389).
More information about the samba