[Samba] SID ... conflicts with our current RID set in ...
Andrew Bartlett
abartlet at samba.org
Tue Jun 1 22:20:13 UTC 2021
On Wed, 2021-06-02 at 08:24 +1200, Andrew Bartlett via samba wrote:
> On Tue, 2021-06-01 at 17:31 +0100, Rowland penny via samba wrote:
> > On 01/06/2021 17:07, Marco Gaiarin via samba wrote:
> > > Doing some health check on my samba AD domain, i've got this:
> > >
> > > root at vdcpp1:~# samba-tool dbcheck --cross-ncs
> > > Checking 5173 objects
> > > [... some warnings...]
> > > SID S-1-5-21-160080369-3601385002-3131615632-2100 for
> > > CN=ENRICO,OU=Computers,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=i
> > > t
> > > conflicts with our current RID set in CN=RID
> > > Set,CN=VDCPP1,OU=Domain Controllers,DC=ad,DC=fvg,DC=lnf,DC=it
> > > Please use --fix to fix these errors
> > > Checked 5173 objects (1 errors)
> > >
> > > 2) it is safe to use '--fix'? Or, because 'ENRICO' is a simple
> > > windows
> > > pc, it is safer to simply delete 'ENRICO' computer account and
> > > rejoin
> > > it?
> >
For now just ignore it as I think we might have a bug, see below.
> > Try '--fix' first, you can always fall back to leaving the domain
> > and
> > rejoining if it doesn't work.
>
> Thanks Rowland, this explains things very well.
>
> As background, which should probably go into the wiki some day, with
> the above:
>
> The 'fix' will advance the local RID allocation state in ridNextRid
> attribute until the conflict is resolved.
>
> However this should not ever have happened, if there was only ever
> one
> RID master the pools should never have overlapped and it should have
> been impossible for this to happen.
>
> Stealing RID master roles would be one way to get into this muddle,
> as
> would an improper domain restore. If neither of these have happened,
> some investigation might be worthwhile.
If that is the case, then see
https://gitlab.com/samba-team/samba/-/merge_requests/1986#note_590466438
This could very likely be a bug, thankfully one with a fix coming, and
without the fix the 'cure' would just burn a full RID pool to get to
the start of the next one.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list