[Samba] Duplicate ObjectSid values

ash-samba at comtek.co.uk ash-samba at comtek.co.uk
Tue May 17 13:14:21 UTC 2016 

>> We can successfully "/usr/bin/samba-tool user add" with alaska (a 
>> machine located on another continent, with a quite unreliable link!), 
>> and that gives us an account with 
>> S-1-5-21-2702589905-558746101-3641499263-7125 on -both- alaska and 
>> empire, so there is clearly some amount of working replication. 
>> Confusingly, after doing this nextRid is still 1000 on both machines.
>
> This could be because you are looking at the wrong attribute in the 
> wrong place.
> Try looking at the object 'CN=RID Set,CN=ALASKA,OU=Domain 
> Controllers,DC=CHESTER-DC,DC=EXAMPLE,DC=COM' and the attribute 
> 'rIDNextRID' it contains.

Interesting.

If, on Alaska, I do: ldbedit -H  ldap://localhost   -U ash

 > # record 122
 > dn: CN=RID Set,CN=ALASKA,OU=Domain 
Controllers,DC=chester-dc,DC=example,DC=com
 > objectClass: top
 > objectClass: rIDSet
 > cn: RID Set
 > instanceType: 4
 > whenCreated: 20141223180132.0Z
 > whenChanged: 20141223180132.0Z
 > uSNCreated: 12146
 > uSNChanged: 12146
 > showInAdvancedViewOnly: TRUE
 > name: RID Set
 > objectGUID: b2f1c43e-4bd7-46dd-bdd8-6cc31f259655
 > rIDAllocationPool: 7100-7599
 > rIDUsedPool: 0
 > objectCategory: 
CN=RID-Set,CN=Schema,CN=Configuration,DC=chester-dc,DC=example,
 >  DC=com
 > rIDPreviousAllocationPool: 7100-7599
 > rIDNextRID: 7126
 > distinguishedName: CN=RID Set,CN=ALASKA,OU=Domain 
Controllers,DC=chester-dc,DC
 >  =example,DC=com


on empire, the same command shows

 > # record 122
 > dn: CN=RID Set,CN=ALASKA,OU=Domain 
Controllers,DC=chester-dc,DC=example,DC=com
 > objectClass: top
 > objectClass: rIDSet
 > cn: RID Set
 > instanceType: 4
 > whenCreated: 20141223180132.0Z
 > whenChanged: 20141223180132.0Z
 > uSNCreated: 39967
 > uSNChanged: 39967
 > showInAdvancedViewOnly: TRUE
 > name: RID Set
 > objectGUID: b2f1c43e-4bd7-46dd-bdd8-6cc31f259655
 > rIDAllocationPool: 7100-7599
 > rIDPreviousAllocationPool: 0-0
 > rIDUsedPool: 0
 > rIDNextRID: 0
 > objectCategory: 
CN=RID-Set,CN=Schema,CN=Configuration,DC=chester-dc,DC=example,
 >  DC=com
 > distinguishedName: CN=RID Set,CN=ALASKA,OU=Domain 
Controllers,DC=chester-dc,DC
 >  =example,DC=com

The interesting thing is that alaska has got no other RID Set entries. 
empire has a RID Set for each of empire, alaska, hawaii, v-ward (though 
the value for rIDNextRID is 0 for each except for the empire entry 
itself, which is 2828). Is this normal?

The rIDNextRID 2828 does collide with the SID entry for dn: 
CN=DEEL059,CN=Computers,DC=chester-dc,DC=example,DC=com

More information about the samba mailing list