[Samba] SID ... conflicts with our current RID set in ...

Rowland penny rpenny at samba.org
Tue Jun 1 16:31:42 UTC 2021


On 01/06/2021 17:07, Marco Gaiarin via samba wrote:
> Doing some health check on my samba AD domain, i've got this:
>
>   root at vdcpp1:~# samba-tool dbcheck --cross-ncs
>   Checking 5173 objects
>   [... some warnings...]
>   SID S-1-5-21-160080369-3601385002-3131615632-2100 for CN=ENRICO,OU=Computers,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it conflicts with our current RID set in CN=RID Set,CN=VDCPP1,OU=Domain Controllers,DC=ad,DC=fvg,DC=lnf,DC=it
>   Please use --fix to fix these errors
>   Checked 5173 objects (1 errors)
>
> Two question:
>
> 1) why this error is DC specific and not domain-wide?


Because every DC has (or should have) its own RID pool

>   DC RID is not
>   written in AD but only in local DB?


RID's are in AD

>   If i run 'samba-tool dbcheck --cross-ncs' in another DC, there's no error...


Different RID pool

>
> 2) it is safe to use '--fix'? Or, because 'ENRICO' is a simple windows
>   pc, it is safer to simply delete 'ENRICO' computer account and rejoin
>   it?


Try '--fix' first, you can always fall back to leaving the domain and 
rejoining if it doesn't work.

Rowland


>
>
> Thanks.
>




More information about the samba mailing list