[Samba] Error "Failed extended allocation RID pool operation..."

Andrew Bartlett abartlet at samba.org
Fri Oct 28 08:51:41 UTC 2016 

On Thu, 2016-09-22 at 22:17 -0500, Andrew Bartlett via samba wrote:
> On Mon, 2016-09-19 at 23:46 -0500, Andrew Bartlett via samba wrote:
> > 
> > On Mon, 2016-09-19 at 09:31 -0400, Adam Tauno Williams via samba
> > wrote:
> > > 
> > > 
> > > Package: sernet-samba-4.2.14-23.el6.x86_64
> > > 
> > > These DCs were very recently upgraded from a prior version.
> > > 
> > > [2016/09/19 09:32:55.168161,  0]
> > > ../source4/libcli/smb2/signing.c:116(smb2_check_signature)
> > >   Bad SMB2 signature for message of size 202
> > > [2016/09/19 09:32:55.168511,  0]
> > > ../lib/util/util.c:559(dump_data)
> > >   [0000] 77 B3 94 9B 70 78 8B 21   1E 56 D0 78 E1 80 BB
> > > 5C   w...px.!
> > > .V.x...\
> > > [2016/09/19 09:32:55.168716,  0]
> > > ../lib/util/util.c:559(dump_data)
> > >   [0000] 17 AB 09 20 81 BD 6B FD   5B 12 89 98 6A 79 3B FE   ...
> > > ..k.
> > > [...jy;.
> > > [2016/09/19 09:32:55.189708,  0]
> > > ../source4/libcli/smb2/signing.c:116(smb2_check_signature)
> > >   Bad SMB2 signature for message of size 208
> > > [2016/09/19 09:32:55.189999,  0]
> > > ../lib/util/util.c:559(dump_data)
> > >   [0000] 26 35 A6 E2 D7 47 17 4D   1A 0A 07 E2 8E B8 5B
> > > DC   &5...G.M
> > > ......[.
> > > [2016/09/19 09:32:55.190219,  0]
> > > ../lib/util/util.c:559(dump_data)
> > >   [0000] 21 19 4D 88 60 9A D5 4E   46 08 73 B0 A7 A0 22
> > > B6   !.M.`..N
> > > F.s...".
> > > [2016/09/19 09:32:55.208830,  0]
> > > ../source4/libcli/smb2/signing.c:116(smb2_check_signature)
> > >   Bad SMB2 signature for message of size 217
> > > [2016/09/19 09:32:55.209092,  0]
> > > ../lib/util/util.c:559(dump_data)
> > >   [0000] 9F FD 03 E1 61 4B 32 A8   9F 9D 50 DE 25 47 C0
> > > AF   ....aK2.
> > > ..P.%G..
> > > [2016/09/19 09:32:55.209305,  0]
> > > ../lib/util/util.c:559(dump_data)
> > >   [0000] C8 6B 73 58 EC 59 4E 06   46 26 7E DA D5 DE 4E
> > > 8F   .ksX.YN.
> > > F&~...N.
> > > [2016/09/19 09:33:02.991790,  0]
> > > ../source4/rpc_server/drsuapi/getncchanges.c:807(getncchanges_rid
> > > _a
> > > ll
> > > oc
> > > )
> > >   ../source4/rpc_server/drsuapi/getncchanges.c:807: Failed
> > > extended
> > > allocation RID pool operation - Failed to modify RID Set object
> > > CN=RID
> > > Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us -
> > > objectclass_attrs: at least one mandatory attribute
> > > ('rIDNextRID')
> > > on
> > > entry 'CN=RID Set,CN=LARKIN28,OU=Domain
> > > Controllers,DC=micore,DC=us'
> > > wasn't specified!
> > > [2016/09/19 09:33:03.814390,  0]
> > > ../source4/smb_server/smb2/sesssetup.c:242(smb2srv_cleanup_sessio
> > > n_
> > > de
> > > st
> > > ructor)
> > 
> > To provide some background on this to avoid speculation:
> > 
> > rIDNextRid is a non-replicated attribute.  However it is also a
> > mandatory attribute.  This creates issues, because our code tries
> > to
> > enforce the schema, even on 'system' operations, but this confusion
> > as
> > to if the attribute should always be present causes us pain.
> > 
> > We just fixed a similar issue here: https://bugzilla.samba.org/show
> > _b
> > ug
> > .cgi?id=12178
> > 
> > The issue is that the FSMO master doesn't ever see the ridNextRid
> > value, so if you add most of your users on the non-FSMO server,
> > then
> > this will happen when the pool needs refreshing. 
> > 
> > It is too late here for me to safely suggest hacks, but I can think
> > of
> > workarounds to satisfy the check until we can just remove it
> > properly.
> 
> My untested thoughts are to set ridNextRid to 0 on the DC holding the
> RID master role, so that this check passes.
> 
> The correct fix is either to not enforce MUST restrictions on non-
> replicated attributes, or not enforce it for unrelated modifications.
> 
> I'm still a little confused how this ever worked in the first place,
> but we will look into it.  

Patches for this are on samba-technical and a bug has been filed as 
https://bugzilla.samba.org/show_bug.cgi?id=12394

In the meantime:

Set rIDNextRID and rIDPreviousAllocationPool to 0
on any 'CN=RID Set' object on the RID Master (as these values are not
replicated) for any DC where these values are not yet set.  

NEVER change a valid value to 0, just add the attribute on each CN=RID
Set.

You can see that this is reasonable because for servers that got their
RID set from the current RID master, these should already have zeros
for this attribute.

That should fix things for you, until we can get you the C patch to
remove the incorrect schema restriction.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list