[Samba] Error "Failed extended allocation RID pool operation..."

lingpanda101 at gmail.com lingpanda101 at gmail.com
Mon Sep 19 18:33:38 UTC 2016 

On 9/19/2016 1:37 PM, Rowland Penny via samba wrote:
> On Mon, 19 Sep 2016 19:19:08 +0200
> Achim Gottinger via samba <samba at lists.samba.org> wrote:
>
>>
>> Am 19.09.2016 um 19:08 schrieb Achim Gottinger via samba:
>>>
>>> Am 19.09.2016 um 18:21 schrieb Rowland Penny via samba:
>>>> On Mon, 19 Sep 2016 11:57:38 -0400
>>>> Adam Tauno Williams via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> On Mon, 2016-09-19 at 16:15 +0100, Rowland Penny via samba wrote:
>>>>>> On Mon, 19 Sep 2016 10:42:34 -0400
>>>>>> Adam Tauno Williams via samba <samba at lists.samba.org> wrote:
>>>>>>> On Mon, 2016-09-19 at 15:15 +0100, Rowland Penny via samba
>>>>>>> wrote:
>>>>>>>> No it shouldn't be replicated, the big hint is
>>>>>>>> 'FLAG_ATTR_NOT_REPLICATED', it should only be on the DC that
>>>>>>>> holds the RID master FSMO role, so I supposed the question is,
>>>>>>>> what does 'samba-tool fsmo show' display for the
>>>>>>>> RidAllocationMasterRole ?
>>>>>> Log into a DC, run 'samba-tool fsmo show' and look at the line
>>>>>> that starts 'RidAllocationmasterRole'
>>>>>> It should show 'CN=NTDS Settings,CN=LARKIN27'
>>>>> [root at larkin28 ~]# samba-tool fsmo show
>>>>> ..
>>>>> RidAllocationMasterRole owner: CN=NTDS
>>>>> Settings,CN=LARKIN27,CN=Servers,CN=Default-First-Site
>>>>> -Name,CN=Sites,CN=Configuration,DC=micore,DC=us
>>>>> ...
>>>>>
>>>>>>> Try running this on the DC: ldbsearch
>>>>>>> -H/usr/local/samba/private/sa m.ldb '(objectClass=rIDSet)' dn
>>>>>>> rIDNextRID
>>>>>> It should should show the DN's of your DCs followed by the
>>>>>> contents of the 'rIDNextRID' attributes. these should be '0' on
>>>>>> all DC's except the RID master.
>>>>> [root at larkin28 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>>>>    '(objectClass=rIDSet)' dn rIDNextRID
>>>>> # record 1
>>>>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>>>>> # record 2
>>>>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>>>>> # record 3
>>>>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>>>>> rIDNextRID: 53611
>>>>> # Referral
>>>>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>>>>> # Referral
>>>>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>>>>> # Referral
>>>>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>>>>> # returned 6 records
>>>>> # 3 entries
>>>>> # 3 referrals
>>>>>
>>>>>
>>>>> [root at larkin27 ~]# ldbsearch -H /var/lib/samba/private/sam.ldb
>>>>>    '(objectClass=rIDSet)' dn rIDNextRID
>>>>> # record 1
>>>>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>>>>> # record 2
>>>>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>>>>> rIDNextRID: 55584
>>>>> # record 3
>>>>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>>>>> # Referral
>>>>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>>>>> # Referral
>>>>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>>>>> # Referral
>>>>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>>>>> # returned 6 records
>>>>> # 3 entries
>>>>> # 3 referrals
>>>>>
>>>>>
>>>>> [root at larkin27 ~]#  ldbsearch -H /var/lib/samba/private/sam.ldb
>>>>>    '(objectClass=rIDSet)' dn rIDNextRID
>>>>> # record 1
>>>>> dn: CN=RID Set,CN=LARKIN26,OU=Domain Controllers,DC=micore,DC=us
>>>>> # record 2
>>>>> dn: CN=RID Set,CN=LARKIN27,OU=Domain Controllers,DC=micore,DC=us
>>>>> rIDNextRID: 55584
>>>>> # record 3
>>>>> dn: CN=RID Set,CN=LARKIN28,OU=Domain Controllers,DC=micore,DC=us
>>>>> # Referral
>>>>> ref: ldap://micore.us/CN=Configuration,DC=micore,DC=us
>>>>> # Referral
>>>>> ref: ldap://micore.us/DC=DomainDnsZones,DC=micore,DC=us
>>>>> # Referral
>>>>> ref: ldap://micore.us/DC=ForestDnsZones,DC=micore,DC=us
>>>>> # returned 6 records
>>>>> # 3 entries
>>>>> # 3 referrals
>>>>>
>>>>>
>>>> OK, on the DC that holds the RID master role:
>>>>
>>>> root at dc1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
>>>> '(objectClass=rIDSet)' dn rIDNextRID
>>>> # record 1
>>>> dn: CN=RID Set,CN=MEMBER1,OU=Domain
>>>> Controllers,DC=samdom,DC=example,DC=com
>>>> rIDNextRID: 0
>>>>
>>>> # record 2
>>>> dn: CN=RID Set,CN=DC1,OU=Domain
>>>> Controllers,DC=samdom,DC=example,DC=com rIDNextRID: 1152
>>>>
>>>> and on my other DC:
>>>>
>>>> root at member1:~# ldbsearch -H /usr/local/samba/private/sam.ldb
>>>> '(objectClass=rIDSet)' dn rIDNextRID
>>>> # record 1
>>>> dn: CN=RID Set,CN=MEMBER1,OU=Domain
>>>> Controllers,DC=samdom,DC=example,DC=com
>>>>
>>>> # record 2
>>>> dn: CN=RID Set,CN=DC1,OU=Domain
>>>> Controllers,DC=samdom,DC=example,DC=com
>>>>
>>>> So as far as I understanding it, you should only have the
>>>> 'rIDNextRID' attribute on the DC that holds the RID master role. I
>>>> suggest you run 'samba-tool dbcheck' on your DCs
>>>>
>>>> Rowland
>>>>
>>> On my 4.4.5 test environment i also get these results. On an
>>> production domain running server 4.2.13 i get the following results.
>>> 1.server with fsmo rid master role: nextRid>0 for the server and
>>> nextRid=0 for all other server.
>>> 2. Other servers: nextRid>0 for the (other) server. No nextRid
>>> attribute for the other server.
>>> I have no issues on both environments atm.
>> After creating an user on my second and third dc in the 4.4.5 test
>> environment these also have an rIDNextDrid attribute and behave like
>> the 4.2.13 domain. On both environments the rIDNextDrid is different
>> on all dc's.
>> So it behaves like described in the article James posted.
>>
>>
>>
> Hmm, I always create users on the first DC, so I created one on the
> second DC and I now have a 'rIDNextRID' attribute on the second DC
> with, has expected, a different range, but it doesn't replicate (again
> as expected).
>
> Rowland
>   
>

To see rid pool info run the following from a Windows command prompt.

dcdiag /s:DCNAME /test:ridmanager /v

Replace DCNAME with the dns name of your Domain Controller. I wonder if 
OP has exhausted his RID pool. Unlikely but possible. I also see a 
similar post on this same issue.

https://lists.samba.org/archive/samba/2016-April/198879.html


-- 
-James

More information about the samba mailing list