[Samba] Error "Failed extended allocation RID pool operation..."
Achim Gottinger
achim at ag-web.biz
Mon Sep 19 17:19:08 UTC 2016
Am 19.09.2016 um 19:08 schrieb Achim Gottinger via samba:
>
>
> Am 19.09.2016 um 18:21 schrieb Rowland Penny via samba:
>> On Mon, 19 Sep 2016 11:57:38 -0400
>> Adam Tauno Williams via samba <samba at lists.samba.org> wrote:
>>
>>> On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote:
>>>> On Mon, 19 Sep 2016 10:42:34 -0400
>>>> Adam Tauno Williams via samba <samba at lists.samba.org> wrote:
>>>>> On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba wrote:
>>>>>> No it shouldn't be replicated, the big hint is
>>>>>> 'FLAG_ATTR_NOT_REPLICATED', it should only be on the DC that
>>>>>> holds the RID master FSMO role, so I supposed the question is,
>>>>>> what does 'samba-tool fsmo show' display for the
>>>>>> RidAllocationMasterRole ?
>>>> Log into a DC, run 'samba-tool fsmo show' and look at the line that
>>>> starts 'RidAllocationmasterRole'
>>>> It should show 'CN=NTDS Settings,CN=LARKIN27'
>>> [root at larkin28 ~]# samba-tool fsmo show
>>> ..
>>> RidAllocationMasterRole owner: CN=NTDS
>>> Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site
>>> -Name,CN=Sites,CN=Configuration,DC=micore,DC=us
>>> ...
>>>
>>>>> Try running this on the DC: ldbsearch
>>>>> -H/usr/local/samba/private/sa m.ldb '(objectClass=rIDSet)' dn
>>>>> rIDNextRID
>>>> It should should show the DN's of your DCs followed by the contents
>>>> of the 'rIDNextRID' attributes. these should be '0' on all DC's
>>>> except the RID master.
>>>
>>> [root at larkin28 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>> '(objectClass=rIDSet)' dn rIDNextRID
>>> # record 1
>>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>>> # record 2
>>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>>> # record 3
>>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>>> rIDNextRID: 53611
>>> # Referral
>>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>>> # returned 6 records
>>> # 3 entries
>>> # 3 referrals
>>>
>>>
>>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>> '(objectClass=rIDSet)' dn rIDNextRID
>>> # record 1
>>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>>> # record 2
>>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>>> rIDNextRID: 55584
>>> # record 3
>>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>>> # returned 6 records
>>> # 3 entries
>>> # 3 referrals
>>>
>>>
>>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>> '(objectClass=rIDSet)' dn rIDNextRID
>>> # record 1
>>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>>> # record 2
>>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>>> rIDNextRID: 55584
>>> # record 3
>>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>>> # Referral
>>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>>> # returned 6 records
>>> # 3 entries
>>> # 3 referrals
>>>
>>>
>> OK, on the DC that holds the RID master role:
>>
>> root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
>> '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=MEMBER1,OU=Domain
>> Controllers,DC=samdom,DC=example,DC=com
>> rIDNextRID: 0
>>
>> # record 2
>> dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
>> rIDNextRID: 1152
>>
>> and on my other DC:
>>
>> root at member1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
>> '(objectClass=rIDSet)' dn rIDNextRID
>> # record 1
>> dn: CN=RID Set,CN=MEMBER1,OU=Domain
>> Controllers,DC=samdom,DC=example,DC=com
>>
>> # record 2
>> dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com
>>
>> So as far as I understanding it, you should only have the 'rIDNextRID'
>> attribute on the DC that holds the RID master role. I suggest you run
>> 'samba-tool dbcheck' on your DCs
>>
>> Rowland
>>
> On my 4.4.5 test environment i also get these results. On an
> production domain running server 4.2.13 i get the following results.
> 1.server with fsmo rid master role: nextRid>0 for the server and
> nextRid=0 for all other server.
> 2. Other servers: nextRid>0 for the (other) server. No nextRid
> attribute for the other server.
> I have no issues on both environments atm.
After creating an user on my second and third dc in the 4.4.5 test
environment these also have an rIDNextDrid attribute and behave like the
4.2.13 domain. On both environments the rIDNextDrid is different on all
dc's.
So it behaves like described in the article James posted.
More information about the samba
mailing list