Bug 10014 - Excessive RID allocation
Summary: Excessive RID allocation
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
: 9960 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-07-12 01:08 UTC by kristofer
Modified: 2013-07-18 17:51 UTC (History)
2 users (show)

See Also:


Attachments
patches cherry-picked from master (for 4-0-test) (1.83 KB, patch)
2013-07-12 01:26 UTC, Andrew Bartlett
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description kristofer 2013-07-12 01:08:25 UTC
I have a script that is adding about 16,000 users to my domain.

While monitoring the script, I noticed that as soon as a user is added, 500 additional RID's are allocated from the RID Master

Please see below the output of the "CN=RID Manager$,CN=System" and "CN=RID Set,CN=DC1,OU=Domain Controllers" containers between each user-add

As you can see, in "CN=RID Set,CN=DC1,OU=Domain Controllers" rIDNextRID increments by one between each user, but there is a new rIDAllocationPool each time.  And to match that, inside of the "CN=RID Manager$,CN=System" container the rIDAvailablePool gets depleted by 500 between each new user.

Is this normal behavior, or a bug?  I thought the DC only requests 500 additional RID's when it was close to being depleted - not on each object addition.


== Thu Jul 11 20:45:59 EDT 2013 =====================
dn: CN=RID Manager$,CN=System,DC=ad,DC=domain,DC=com
rIDAvailablePool: 4837600-1073741823

dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=ad,DC=domain,DC=com
rIDPreviousAllocationPool: 4760100-4760599
rIDUsedPool: 38
rIDAllocationPool: 4837100-4837599
rIDNextRID: 4760494

== Thu Jul 11 20:46:10 EDT 2013 =====================
dn: CN=RID Manager$,CN=System,DC=ad,DC=domain,DC=com
rIDAvailablePool: 4838100-1073741823

dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=ad,DC=domain,DC=com
rIDPreviousAllocationPool: 4760100-4760599
rIDUsedPool: 38
rIDAllocationPool: 4837600-4838099
rIDNextRID: 4760495

== Thu Jul 11 20:46:21 EDT 2013 =====================
dn: CN=RID Manager$,CN=System,DC=ad,DC=domain,DC=com
rIDAvailablePool: 4838600-1073741823

dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=ad,DC=domain,DC=com
rIDPreviousAllocationPool: 4760100-4760599
rIDUsedPool: 38
rIDAllocationPool: 4838100-4838599
rIDNextRID: 4760496

== Thu Jul 11 20:46:32 EDT 2013 =====================
dn: CN=RID Manager$,CN=System,DC=ad,DC=domain,DC=com
rIDAvailablePool: 4839100-1073741823

dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=ad,DC=domain,DC=com
rIDPreviousAllocationPool: 4760100-4760599
rIDUsedPool: 38
rIDAllocationPool: 4838600-4839099
rIDNextRID: 4760497

== Thu Jul 11 20:46:44 EDT 2013 =====================
dn: CN=RID Manager$,CN=System,DC=ad,DC=domain,DC=com
rIDAvailablePool: 4839600-1073741823

dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=ad,DC=domain,DC=com
rIDPreviousAllocationPool: 4760100-4760599
rIDUsedPool: 38
rIDAllocationPool: 4839100-4839599
rIDNextRID: 4760498

== Thu Jul 11 20:46:55 EDT 2013 =====================
dn: CN=RID Manager$,CN=System,DC=ad,DC=domain,DC=com
rIDAvailablePool: 4840100-1073741823

dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=ad,DC=domain,DC=com
rIDPreviousAllocationPool: 4760100-4760599
rIDUsedPool: 38
rIDAllocationPool: 4839600-4840099
rIDNextRID: 4760499
Comment 1 kristofer 2013-07-12 01:08:57 UTC
To add to this, I let my script continue until the rIDNextRID reached the end of the pool.  This caused a waste of about 129,000 RID's.

This concerns me because Microsoft has used 8 billion RID's in 12 years (http://blogs.technet.com/b/askds/archive/2011/09/12/managing-rid-pool-depletion.aspx), and I have burned through almost 5 million in less than a year - and my organization is nowhere near the size of M$.

With Samba not supporting domain trusts, there is no ability to migrate users to a new domain, so if this is to continue and cause an excessive RID pool depletion, the missing domain trust feature of Samba will leave users dead with no way to get users onto a new domain with a fresh RID pool.


== Thu Jul 11 20:56:55 EDT 2013 =====================
dn: CN=RID Manager$,CN=System,DC=ad,DC=domain,DC=com
rIDAvailablePool: 4889100-1073741823

dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=ad,DC=domain,DC=com
rIDPreviousAllocationPool: 4760100-4760599
rIDUsedPool: 38
rIDAllocationPool: 4889100-4889599
rIDNextRID: 4760598

== Thu Jul 11 20:56:57 EDT 2013 =====================
dn: CN=RID Manager$,CN=System,DC=ad,DC=domain,DC=com
rIDAvailablePool: 4890100-1073741823

dn: CN=RID Set,CN=DC1,OU=Domain Controllers,DC=ad,DC=domain,DC=com
rIDAllocationPool: 4889600-4890099
rIDPreviousAllocationPool: 4889600-4890099
rIDUsedPool: 39
rIDNextRID: 4889601
Comment 2 Andrew Bartlett 2013-07-12 01:26:54 UTC
Created attachment 9041 [details]
patches cherry-picked from master (for 4-0-test)

This patch from master should resolve the issue and needs to be included in the next 4.0 release.
Comment 3 kristofer 2013-07-12 02:28:32 UTC
Tested patch, and it works as expected. Much better, thank you.
Comment 4 Stefan Metzmacher 2013-07-12 06:19:20 UTC
Comment on attachment 9041 [details]
patches cherry-picked from master (for 4-0-test)

Looks good
Comment 5 Stefan Metzmacher 2013-07-13 07:33:58 UTC
*** Bug 9960 has been marked as a duplicate of this bug. ***
Comment 6 Karolin Seeger 2013-07-15 19:06:17 UTC
Pushed to autobuild-v4-0-test.
Comment 7 Karolin Seeger 2013-07-18 17:51:48 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks!