[Samba] Error "Failed extended allocation RID pool operation..."

Rowland Penny rpenny at samba.org
Mon Sep 19 16:21:41 UTC 2016 

On Mon, 19 Sep 2016 11:57:38 -0400
Adam Tauno Williams via samba <samba at lists.samba.org> wrote:

> On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote:
> > On Mon, 19 Sep 2016 10:42:34 -0400
> > Adam Tauno Williams via samba <samba at lists.samba.org> wrote:
> 
> > > On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba wrote:
> > > > No it shouldn't be replicated, the big hint is
> > > > 'FLAG_ATTR_NOT_REPLICATED', it should only be on the DC that 
> > > > holds the RID master FSMO role, so I supposed the question is, 
> > > > what does 'samba-tool fsmo show' display for the
> > > > RidAllocationMasterRole ?
> > Log into a DC, run 'samba-tool fsmo show' and look at the line that
> > starts 'RidAllocationmasterRole'
> > It should show 'CN=NTDS Settings,CN=LARKIN27'
> 
> [root at larkin28 ~]# samba-tool fsmo show
> ..
> RidAllocationMasterRole owner: CN=NTDS
> Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site
> -Name,CN=Sites,CN=Configuration,DC=micore,DC=us
> ...
> 
> > > Try running this on the DC: ldbsearch
> > > -H/usr/local/samba/private/sa m.ldb '(objectClass=rIDSet)' dn
> > > rIDNextRID
> > It should should show the DN's of your DCs followed by the contents
> > of the 'rIDNextRID' attributes. these should be '0' on all DC's 
> > except the RID master.
> 
> 
> [root at larkin28 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb 
>  '(objectClass=rIDSet)' dn rIDNextRID
> # record 1
> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
> # record 2
> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
> # record 3
> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
> rIDNextRID: 53611
> # Referral
> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
> # returned 6 records
> # 3 entries
> # 3 referrals
> 
> 
> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb 
>  '(objectClass=rIDSet)' dn rIDNextRID
> # record 1
> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
> # record 2
> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
> rIDNextRID: 55584
> # record 3
> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
> # returned 6 records
> # 3 entries
> # 3 referrals
> 
> 
> [root at larkin27 ~]#  ldbsearch -H /var/lib/samba/private/sam.ldb 
>  '(objectClass=rIDSet)' dn rIDNextRID
> # record 1
> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
> # record 2
> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
> rIDNextRID: 55584
> # record 3
> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
> # Referral
> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
> # returned 6 records
> # 3 entries
> # 3 referrals
> 
> 

OK, on the DC that holds the RID master role:

root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb '(objectClass=rIDSet)' dn rIDNextRID
# record 1
dn: CN=RID Set,CN=MEMBER1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
rIDNextRID: 0

# record 2
dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
rIDNextRID: 1152

and on my other DC:

root at member1:~# ldbsearch -H /usr/local/samba/private/sam.ldb '(objectClass=rIDSet)' dn rIDNextRID
# record 1
dn: CN=RID Set,CN=MEMBER1,OU=Domain Controllers,DC=samdom,DC=example,DC=com

# record 2
dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com

So as far as I understanding it, you should only have the 'rIDNextRID'
attribute on the DC that holds the RID master role. I suggest you run
'samba-tool dbcheck' on your DCs

Rowland

More information about the samba mailing list