[Samba] Duplicate ObjectSid values

Rowland penny rpenny at samba.org
Tue May 17 14:14:32 UTC 2016 

On 17/05/16 14:14, ash-samba at comtek.co.uk wrote:
>
>>> We can successfully "/usr/bin/samba-tool user add" with alaska (a 
>>> machine located on another continent, with a quite unreliable 
>>> link!), and that gives us an account with 
>>> S-1-5-21-2702589905-558746101-3641499263-7125 on -both- alaska and 
>>> empire, so there is clearly some amount of working replication. 
>>> Confusingly, after doing this nextRid is still 1000 on both machines.
>>
>> This could be because you are looking at the wrong attribute in the 
>> wrong place.
>> Try looking at the object 'CN=RID Set,CN=ALASKA,OU=Domain 
>> Controllers,DC=CHESTER-DC,DC=EXAMPLE,DC=COM' and the attribute 
>> 'rIDNextRID' it contains.
>
> Interesting.
>
> If, on Alaska, I do: ldbedit -H  ldap://localhost   -U ash
>
> > # record 122
> > dn: CN=RID Set,CN=ALASKA,OU=Domain 
> Controllers,DC=chester-dc,DC=example,DC=com
> > objectClass: top
> > objectClass: rIDSet
> > cn: RID Set
> > instanceType: 4
> > whenCreated: 20141223180132.0Z
> > whenChanged: 20141223180132.0Z
> > uSNCreated: 12146
> > uSNChanged: 12146
> > showInAdvancedViewOnly: TRUE
> > name: RID Set
> > objectGUID: b2f1c43e-4bd7-46dd-bdd8-6cc31f259655
> > rIDAllocationPool: 7100-7599
> > rIDUsedPool: 0
> > objectCategory: 
> CN=RID-Set,CN=Schema,CN=Configuration,DC=chester-dc,DC=example,
> >  DC=com
> > rIDPreviousAllocationPool: 7100-7599
> > rIDNextRID: 7126
> > distinguishedName: CN=RID Set,CN=ALASKA,OU=Domain 
> Controllers,DC=chester-dc,DC
> >  =example,DC=com
>
>
> on empire, the same command shows
>
> > # record 122
> > dn: CN=RID Set,CN=ALASKA,OU=Domain 
> Controllers,DC=chester-dc,DC=example,DC=com
> > objectClass: top
> > objectClass: rIDSet
> > cn: RID Set
> > instanceType: 4
> > whenCreated: 20141223180132.0Z
> > whenChanged: 20141223180132.0Z
> > uSNCreated: 39967
> > uSNChanged: 39967
> > showInAdvancedViewOnly: TRUE
> > name: RID Set
> > objectGUID: b2f1c43e-4bd7-46dd-bdd8-6cc31f259655
> > rIDAllocationPool: 7100-7599
> > rIDPreviousAllocationPool: 0-0
> > rIDUsedPool: 0
> > rIDNextRID: 0
> > objectCategory: 
> CN=RID-Set,CN=Schema,CN=Configuration,DC=chester-dc,DC=example,
> >  DC=com
> > distinguishedName: CN=RID Set,CN=ALASKA,OU=Domain 
> Controllers,DC=chester-dc,DC
> >  =example,DC=com
>
> The interesting thing is that alaska has got no other RID Set entries. 
> empire has a RID Set for each of empire, alaska, hawaii, v-ward 
> (though the value for rIDNextRID is 0 for each except for the empire 
> entry itself, which is 2828). Is this normal?
>
> The rIDNextRID 2828 does collide with the SID entry for dn: 
> CN=DEEL059,CN=Computers,DC=chester-dc,DC=example,DC=com
>
>
>
>
>
>
>
>
>
>
>
>
>
>

OK, I just checked on my test domain, DC1 has 'CN=RID Set' for both DCs, 
but only shows 'rIDNextRID: 0' for DC2.
DC2 only has its own 'CN=RID Set' and shows rIDNextRID: 1605. It looks 
like this part of your AD is correct.

A quick check reveals that 'rIDNextRID' is one of Microsofts famous 
mis-named attributes, it should really have been 'rIDLastRIDused' and is 
a non replicating attribute.

Rowland

More information about the samba mailing list