[Samba] No RID Set found for this server. Can't self-allocate

Felipe Martínez Hermo felipe at galicia.ugt.org
Wed May 22 16:11:17 UTC 2024 

Hi, there

I have been checking connections between my servers, trying to find the 
reason why my trouble server (VIG-DC3) does not reach the RID Madster.

I have to describe my topology a little better.

These are my servers:

(Root) SAMBADC -> FSMO Roles Owner, including RID Master

(First level node) STG-DC -> Syncs correctly with SAMBADC (samba-tool 
drs replicate reports successful)

(Second level nodes)
OUR-DC (DOES have a RID set). Replicates with both SAMBADC and STG-DC
===================================
samba-tool drs replicate our-dc sambadc dc=ugt,dc=ldap
Replicate from sambadc to our-dc was successful.
samba-tool drs replicate our-dc sambadc dc=ForestDnsZones,dc=ugt,dc=ldap
Replicate from sambadc to our-dc was successful.
samba-tool drs replicate our-dc sambadc dc=DomainDnsZones,dc=ugt,dc=ldap
Replicate from sambadc to our-dc was successful.
samba-tool drs replicate our-dc sambadc cn=configuration,dc=ugt,dc=ldap
Replicate from sambadc to our-dc was successful.
samba-tool drs replicate our-dc sambadc 
cn=Schema,cn=configuration,dc=ugt,dc=ldap
Replicate from sambadc to our-dc was successful.
===================================

VIG-DC3 (does NOT have a RID set). Replicates with STG-DC, fails to 
replicate with SAMBA-DC
===================================
samba-tool drs replicate vig-dc3 stg-dc dc=ugt,dc=ldap
Replicate from stg-dc to vig-dc3 was successful.
samba-tool drs replicate vig-dc3 stg-dc dc=ForestDnsZones,dc=ugt,dc=ldap
Replicate from stg-dc to vig-dc3 was successful.
samba-tool drs replicate vig-dc3 stg-dc dc=DomainDnsZones,dc=ugt,dc=ldap
Replicate from stg-dc to vig-dc3 was successful.
samba-tool drs replicate vig-dc3 stg-dc cn=configuration,dc=ugt,dc=ldap
Replicate from stg-dc to vig-dc3 was successful.
samba-tool drs replicate vig-dc3 stg-dc 
cn=Schema,cn=configuration,dc=ugt,dc=ldap
Replicate from stg-dc to vig-dc3 was successful.

root at vig-dc3:~# adsync.sh sambadc vig-dc3

samba-tool drs replicate vig-dc3 sambadc dc=ugt,dc=ldap
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
   File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570, 
in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, 
source_dsa_guid, NC, req_options)
   File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, 
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)
samba-tool drs replicate vig-dc3 sambadc dc=ForestDnsZones,dc=ugt,dc=ldap
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
   File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570, 
in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, 
source_dsa_guid, NC, req_options)
   File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, 
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)
samba-tool drs replicate vig-dc3 sambadc dc=DomainDnsZones,dc=ugt,dc=ldap
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
   File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570, 
in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, 
source_dsa_guid, NC, req_options)
   File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, 
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)
samba-tool drs replicate vig-dc3 sambadc cn=configuration,dc=ugt,dc=ldap
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
   File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570, 
in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, 
source_dsa_guid, NC, req_options)
   File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, 
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)
samba-tool drs replicate vig-dc3 sambadc 
cn=Schema,cn=configuration,dc=ugt,dc=ldap
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsException: DsReplicaSync failed (8453, 'WERR_DS_DRA_ACCESS_DENIED')
   File "/usr/lib/python3/dist-packages/samba/netcmd/drs.py", line 570, 
in run
     drs_utils.sendDsReplicaSync(server_bind, server_bind_handle, 
source_dsa_guid, NC, req_options)
   File "/usr/lib/python3/dist-packages/samba/drs_utils.py", line 100, 
in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)

===================================

The result if I run samba-tool drs replicate vig-dc3 sambadc 
dc=ugt,dc=ldap --full-sync is the same.

Also, I have observed in the tool "Active Directory Sites and services" 
that when it's connected to SAMBADC it does not show server VIG-DC3, 
although it is listed as a domain controller in "AD Users and 
computers". However, if "AD Sites and services" is connected to STG-DC 
it does show VIG-DC3 correctly.


The objectGUID CNAME record exists on both servers SAMBADC and STG-DC


Thanks in advance,


Felipe



El 21/5/24 a las 21:59, Andrew Bartlett escribió:
> On Tue, 2024-05-21 at 18:24 +0200, Felipe Martínez Hermo via samba
> wrote:
>> Hello, everybody.
>>
>>
>> I have a Samba domain spread over 19 offices, 5 of them have a
>> domain
>> controller of their own.
>>
>> Some of these DC work fine now that I have a quite homogeneous set
>> of
>> samba versions. Most of them are Debian 11 with samba 4.17.
>>
>> The last two DC added (in different offices) have joined the domain
>> without problems, but both have the same problem. The can't find a
>> RID set:
>>
>> No RID Set found for this server: CN=COR-DC2,OU=Domain
>> Controllers,DC=my,DC=domain, and we are not the RID Master (so can
>> not
>> self-allocate)
>>
>> This means that they can't create any new objects, so every time I
>> need
>> to add a new computer or create a user, I have to take down these
>> servers and let the objects be created on the "healthy" servers.
>
> I suspect the new servers can't reach the RID master.
>
> Once the servers can reach the RID Master, try creating a user again,
> it may fail but should trigger getting a RID pool.
>
> Sadly we don't seem to have a way to trigger this manually with a
> samba-tool DRS command, which is an oversight.
>
>> I have checked Andrew's answer here:
>>
>> https://lists.samba.org/archive/samba/2018-May/215621.html
>>
>>
>> He says that they eventually they will find a RID set, but it has
>> been
>> long enough and they don't seem to get a RID set.
> The note about join-time is correct, except it is possible to join
> without creating a RID set, if you didn't happen to join to the RID
> master.  (But we reduced these errors significantly by making it as
> proactive as possible).
>
> Andrew Bartlett
>
>
-- 
Carta

Felipe Martínez Hermo

Servizos Informáticos

UGT Galicia

981 57 71 71

*Unión Xeral de Traballadoras e Traballadores*

Miguel Ferro Caaveiro, 12 - 15707, Santiago de Compostela

<https://www.instagram.com/ugt_galicia/?hl=es><https://www.facebook.com/ugtgalicia?ref=hl><https://www.youtube.com/channel/UCvmQas6GB5fWAuxc1UM8XVg><https://twitter.com/UGT_Galicia>www.ugtgalicia.org 
<http://www.ugtgalicia.org>


--
Este mensaje y los ficheros anexos que pueda contener son confidenciales. Los mismos pueden contener información reservada que no puede ser difundida. Si usted ha recibido este correo por error, tenga la amabilidad de eliminarlo de su sistema. No deberá copiar el mensaje ni divulgar su contenido.Su dirección de correo electrónico, junto a sus datos personales recibidos, serán gestionados por UGT Galicia con la finalidad de la gestión de la comunicación recibida y el contacto con usted, y se adoptarán sobre los mismos las medidas de seguridad oportunas en garantía del RGPD y la LOPDGDD. Para cualquier información adicional o cuestión relacionada con Protección de Datos, diríjase a dpo at galicia.ugt.org o a nuestras Políticas de Privacidad ubicadas en www.ugt.es/clausulas-rgpd

More information about the samba mailing list