Bug 9954 - No RID Set DN - Failed to add RID Set CN=RID Set
No RID Set DN - Failed to add RID Set CN=RID Set
Status: ASSIGNED
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.0.9
x86 Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on: 12453
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-17 10:36 UTC by Alberto Diaz
Modified: 2016-11-29 14:04 UTC (History)
4 users (show)

See Also:


Attachments
specific patch for this issue (for master) (1.50 KB, patch)
2016-11-01 08:07 UTC, Andrew Bartlett
abartlet: review-
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alberto Diaz 2013-06-17 10:36:16 UTC
Can't join a w7 PC to my test domain.

Evaluating samba4 here. 2 w2k8 DC (offlined), 1 samba4 DC (the only onlineDC ). The samba4 DC has seized all roles.

No log on samba server.

Here is my NetSetup.LOG on the client machine:

06/17/2013 12:19:08:872 NetpDsGetDcName: failed to find a DC having account 'PCS0022395V2$': 0x525, last error is 0x0
06/17/2013 12:19:08:872 NetpLoadParameters: loading registry parameters...
06/17/2013 12:19:08:872 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
06/17/2013 12:19:08:872 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
06/17/2013 12:19:08:872 NetpLoadParameters: status: 0x2
06/17/2013 12:19:08:872 NetpDsGetDcName: status of verifying DNS A record name resolution for 'samba4testserve.sscc.ctd.xxxxx.com': 0x0
06/17/2013 12:19:08:872 NetpDsGetDcName: found DC '\\samba4testserve.sscc.ctd.xxxxx.com' in the specified domain
06/17/2013 12:19:08:872 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
06/17/2013 12:19:09:043 NetpJoinDomain: status of connecting to dc '\\samba4testserve.sscc.ctd.xxxxx.com': 0x0
06/17/2013 12:19:09:043 NetpProvisionComputerAccount:
06/17/2013 12:19:09:043 	lpDomain: sscc.ctd.xxxxx.com
06/17/2013 12:19:09:043 	lpMachineName: PCS0022395V2
06/17/2013 12:19:09:043 	lpMachineAccountOU: (NULL)
06/17/2013 12:19:09:043 	lpDcName: samba4testserve.sscc.ctd.xxxxx.com
06/17/2013 12:19:09:043 	lpDnsHostName: (NULL)
06/17/2013 12:19:09:043 	lpMachinePassword: (null)
06/17/2013 12:19:09:043 	lpAccount: sscc.ctd.xxxxx.com\myuser
06/17/2013 12:19:09:043 	lpPassword: (non-null)
06/17/2013 12:19:09:043 	dwJoinOptions: 0x425
06/17/2013 12:19:09:043 	dwOptions: 0x40000003
06/17/2013 12:19:09:121 NetpLdapBind: Verified minimum encryption strength on samba4testserve.sscc.ctd.xxxxx.com: 0x0
06/17/2013 12:19:09:121 NetpLdapGetLsaPrimaryDomain: reading domain data
06/17/2013 12:19:09:121 NetpGetNCData: Reading NC data
06/17/2013 12:19:09:121 NetpGetDomainData: Lookup domain data for: DC=sscc,DC=ctd,DC=xxxxx,DC=com
06/17/2013 12:19:09:121 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=sscc,DC=ctd,DC=xxxxx,DC=com
06/17/2013 12:19:09:324 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
06/17/2013 12:19:09:371 NetpGetComputerObjectDn: Cracking DNS domain name sscc.ctd.xxxxx.com/ into Netbios on \\samba4testserve.sscc.ctd.xxxxx.com
06/17/2013 12:19:09:371 NetpGetComputerObjectDn: Crack results: 	name = SSCC\
06/17/2013 12:19:09:371 NetpGetComputerObjectDn: Cracking account name SSCC\PCS0022395V2$ on \\samba4testserve.sscc.ctd.xxxxx.com
06/17/2013 12:19:09:371 NetpGetComputerObjectDn: Crack results: 	Account does not exist
06/17/2013 12:19:09:371 NetpCreateComputerObjectInDs: NetpGetComputerObjectDn failed: 0x534
06/17/2013 12:19:09:371 NetpProvisionComputerAccount: LDAP creation failed: 0x534
06/17/2013 12:19:09:371 ldap_unbind status: 0x0
06/17/2013 12:19:09:371 NetpJoinDomainOnDs: Function exits with status of: 0x534
06/17/2013 12:19:09:371 NetpJoinDomainOnDs: status of disconnecting from '\\samba4testserve.sscc.ctd.xxxxx.com': 0x0
06/17/2013 12:19:09:371 NetpDoDomainJoin: status: 0x534
06/17/2013 12:19:09:402 -----------------------------------------------------------------
06/17/2013 12:19:09:402 NetpDoDomainJoin
06/17/2013 12:19:09:402 NetpMachineValidToJoin: 'PCS0022395V2'
06/17/2013 12:19:09:402 	OS Version: 6.1
06/17/2013 12:19:09:402 	Build number: 7601 (7601.win7sp1_rtm.101119-1850)
06/17/2013 12:19:09:402 	ServicePack: Service Pack 1
06/17/2013 12:19:09:402 	SKU: Windows 7 Professional
06/17/2013 12:19:09:402 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0
06/17/2013 12:19:09:402 NetpGetLsaPrimaryDomain: status: 0x0
06/17/2013 12:19:09:402 NetpMachineValidToJoin: status: 0x0
06/17/2013 12:19:09:402 NetpJoinDomain
06/17/2013 12:19:09:402 	Machine: PCS0022395V2
06/17/2013 12:19:09:402 	Domain: sscc.ctd.xxxxx.com
06/17/2013 12:19:09:402 	MachineAccountOU: (NULL)
06/17/2013 12:19:09:402 	Account: sscc.ctd.xxxxx.com\myuser
06/17/2013 12:19:09:402 	Options: 0x427
06/17/2013 12:19:09:402 NetpLoadParameters: loading registry parameters...
06/17/2013 12:19:09:402 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
06/17/2013 12:19:09:402 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
06/17/2013 12:19:09:402 NetpLoadParameters: status: 0x2
06/17/2013 12:19:09:402 NetpValidateName: checking to see if 'sscc.ctd.xxxxx.com' is valid as type 3 name
06/17/2013 12:19:09:402 NetpValidateName: 'sscc.ctd.xxxxx.com' is not a valid NetBIOS domain name: 0x7b
06/17/2013 12:19:09:730 NetpCheckDomainNameIsValid [ Exists ] for 'sscc.ctd.xxxxx.com' returned 0x0
06/17/2013 12:19:09:730 NetpValidateName: name 'sscc.ctd.xxxxx.com' is valid for type 3
06/17/2013 12:19:09:730 NetpDsGetDcName: trying to find DC in domain 'sscc.ctd.xxxxx.com', flags: 0x40001010
06/17/2013 12:19:24:737 NetpDsGetDcName: failed to find a DC having account 'PCS0022395V2$': 0x525, last error is 0x0
06/17/2013 12:19:24:737 NetpLoadParameters: loading registry parameters...
06/17/2013 12:19:24:737 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2
06/17/2013 12:19:24:737 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2
06/17/2013 12:19:24:737 NetpLoadParameters: status: 0x2
06/17/2013 12:19:24:737 NetpDsGetDcName: status of verifying DNS A record name resolution for 'samba4testserve.sscc.ctd.xxxxx.com': 0x0
06/17/2013 12:19:24:737 NetpDsGetDcName: found DC '\\samba4testserve.sscc.ctd.xxxxx.com' in the specified domain
06/17/2013 12:19:24:737 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
06/17/2013 12:19:24:893 NetpJoinDomain: status of connecting to dc '\\samba4testserve.sscc.ctd.xxxxx.com': 0x0
06/17/2013 12:19:24:893 NetpProvisionComputerAccount:
06/17/2013 12:19:24:893 	lpDomain: sscc.ctd.xxxxx.com
06/17/2013 12:19:24:893 	lpMachineName: PCS0022395V2
06/17/2013 12:19:24:893 	lpMachineAccountOU: (NULL)
06/17/2013 12:19:24:893 	lpDcName: samba4testserve.sscc.ctd.xxxxx.com
06/17/2013 12:19:24:893 	lpDnsHostName: (NULL)
06/17/2013 12:19:24:893 	lpMachinePassword: (null)
06/17/2013 12:19:24:893 	lpAccount: sscc.ctd.xxxxx.com\myuser
06/17/2013 12:19:24:893 	lpPassword: (non-null)
06/17/2013 12:19:24:893 	dwJoinOptions: 0x427
06/17/2013 12:19:24:893 	dwOptions: 0x40000003
06/17/2013 12:19:24:940 NetpLdapBind: Verified minimum encryption strength on samba4testserve.sscc.ctd.xxxxx.com: 0x0
06/17/2013 12:19:24:940 NetpLdapGetLsaPrimaryDomain: reading domain data
06/17/2013 12:19:24:940 NetpGetNCData: Reading NC data
06/17/2013 12:19:24:940 NetpGetDomainData: Lookup domain data for: DC=sscc,DC=ctd,DC=xxxxx,DC=com
06/17/2013 12:19:24:940 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=sscc,DC=ctd,DC=xxxxx,DC=com
06/17/2013 12:19:25:158 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0
06/17/2013 12:19:25:158 NetpGetComputerObjectDn: Cracking DNS domain name sscc.ctd.xxxxx.com/ into Netbios on \\samba4testserve.sscc.ctd.xxxxx.com
06/17/2013 12:19:25:158 NetpGetComputerObjectDn: Crack results: 	name = SSCC\
06/17/2013 12:19:25:158 NetpGetComputerObjectDn: Cracking account name SSCC\PCS0022395V2$ on \\samba4testserve.sscc.ctd.xxxxx.com
06/17/2013 12:19:25:174 NetpGetComputerObjectDn: Crack results: 	Account does not exist
06/17/2013 12:19:25:174 NetpGetComputerObjectDn: Cracking Netbios domain name SSCC\ into root DN on \\samba4testserve.sscc.ctd.xxxxx.com
06/17/2013 12:19:25:174 NetpGetComputerObjectDn: Crack results: 	name = DC=sscc,DC=ctd,DC=xxxxxx,DC=com
06/17/2013 12:19:25:174 NetpGetComputerObjectDn: Got DN CN=PCS0022395V2,CN=Computers,DC=sscc,DC=ctd,DC=xxxxx,DC=com from the default computer container
06/17/2013 12:19:25:174 NetpModifyComputerObjectInDs: Initial attribute values:
06/17/2013 12:19:25:174 		objectClass  =  Computer
06/17/2013 12:19:25:174 		SamAccountName  =  PCS0022395V2$
06/17/2013 12:19:25:174 		userAccountControl  =  0x1000
06/17/2013 12:19:25:174 		DnsHostName  =  PCS0022395V2.sscc.ctd.xxxxx.com
06/17/2013 12:19:25:174 		ServicePrincipalName  =  HOST/PCS0022395V2.sscc.ctd.xxxxx.com  RestrictedKrbHost/PCS0022395V2.sscc.ctd.xxxxx.com  HOST/PCS0022395V2  RestrictedKrbHost/PCS0022395V2
06/17/2013 12:19:25:174 		unicodePwd  =  <SomePassword>
06/17/2013 12:19:25:174 NetpModifyComputerObjectInDs: Computer Object does not exist in OU
06/17/2013 12:19:25:174 NetpModifyComputerObjectInDs: Attribute values to set:
06/17/2013 12:19:25:174 		objectClass  =  Computer
06/17/2013 12:19:25:174 		SamAccountName  =  PCS0022395V2$
06/17/2013 12:19:25:174 		userAccountControl  =  0x1000
06/17/2013 12:19:25:174 		DnsHostName  =  PCS0022395V2.sscc.ctd.xxxxx.com
06/17/2013 12:19:25:174 		ServicePrincipalName  =  HOST/PCS0022395V2.sscc.ctd.xxxxx.com  RestrictedKrbHost/PCS0022395V2.sscc.ctd.xxxxx.com  HOST/PCS0022395V2  RestrictedKrbHost/PCS0022395V2
06/17/2013 12:19:25:174 		unicodePwd  =  <SomePassword>
06/17/2013 12:19:25:205 NetpMapGetLdapExtendedError: Parsed [0x2035] from server extended error string: 00002035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set DN - Failed to add RID Set CN=RID Set,CN=SAMBA4TESTSERVER,OU=Domain Controllers,DC=sscc,DC=ctd,DC=xxxxx,DC=com - objectclass: object class 'rIDSet' is system-only, rejecting creation of 'CN=RID Set,CN=SAMBA4TESTSERVER,OU=Domain Controllers,DC=sscc,DC=ctd,DC=xxxxx,DC=com'!NetpModifyComputerObjectInDs: ldap_add_s failed: 0x35 0x3eb
06/17/2013 12:19:25:205 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x3eb
06/17/2013 12:19:25:205 NetpCreateComputerObjectInDsW2K: Try again setting password separately from creation i.e. DC may be W2K
06/17/2013 12:19:25:205 NetpGetComputerObjectDn: Cracking DNS domain name sscc.ctd.xxxxx.com/ into Netbios on \\samba4testserve.sscc.ctd.xxxxx.com
06/17/2013 12:19:25:205 NetpGetComputerObjectDn: Crack results: 	name = SSCC\
06/17/2013 12:19:25:205 NetpGetComputerObjectDn: Cracking account name SSCC\PCS0022395V2$ on \\samba4testserve.sscc.ctd.xxxxx.com
06/17/2013 12:19:25:205 NetpGetComputerObjectDn: Crack results: 	Account does not exist
06/17/2013 12:19:25:205 NetpGetComputerObjectDn: Cracking Netbios domain name SSCC\ into root DN on \\samba4testserve.sscc.ctd.xxxxx.com
06/17/2013 12:19:25:221 NetpGetComputerObjectDn: Crack results: 	name = DC=sscc,DC=ctd,DC=xxxxx,DC=com
06/17/2013 12:19:25:221 NetpGetComputerObjectDn: Got DN CN=PCS0022395V2,CN=Computers,DC=sscc,DC=ctd,DC=xxxxx,DC=com from the default computer container
06/17/2013 12:19:25:221 NetpModifyComputerObjectInDs: Initial attribute values:
06/17/2013 12:19:25:221 		objectClass  =  Computer
06/17/2013 12:19:25:221 		SamAccountName  =  PCS0022395V2$
06/17/2013 12:19:25:221 		userAccountControl  =  0x1000
06/17/2013 12:19:25:221 		DnsHostName  =  PCS0022395V2.sscc.ctd.xxxxx.com
06/17/2013 12:19:25:221 		ServicePrincipalName  =  HOST/PCS0022395V2.sscc.ctd.xxxxx.com  RestrictedKrbHost/PCS0022395V2.sscc.ctd.xxxxx.com  HOST/PCS0022395V2  RestrictedKrbHost/PCS0022395V2
06/17/2013 12:19:25:221 NetpModifyComputerObjectInDs: Computer Object does not exist in OU
06/17/2013 12:19:25:221 NetpModifyComputerObjectInDs: Attribute values to set:
06/17/2013 12:19:25:221 		objectClass  =  Computer
06/17/2013 12:19:25:221 		SamAccountName  =  PCS0022395V2$
06/17/2013 12:19:25:221 		userAccountControl  =  0x1000
06/17/2013 12:19:25:221 		DnsHostName  =  PCS0022395V2.sscc.ctd.xxxxx.com
06/17/2013 12:19:25:221 		ServicePrincipalName  =  HOST/PCS0022395V2.sscc.ctd.xxxxx.com  RestrictedKrbHost/PCS0022395V2.sscc.ctd.xxxxx.com  HOST/PCS0022395V2  RestrictedKrbHost/PCS0022395V2
06/17/2013 12:19:25:236 NetpMapGetLdapExtendedError: Parsed [0x2035] from server extended error string: 00002035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set DN - Failed to add RID Set CN=RID Set,CN=SAMBA4TESTSERVER,OU=Domain Controllers,DC=sscc,DC=ctd,DC=xxxxx,DC=com - objectclass: object class 'rIDSet' is system-only, rejecting creation of 'CN=RID Set,CN=SAMBA4TESTSERVER,OU=Domain Controllers,DC=sscc,DC=ctd,DC=xxxxx,DC=com'!NetpModifyComputerObjectInDs: ldap_add_s failed: 0x35 0x3eb
06/17/2013 12:19:25:236 NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x3eb
06/17/2013 12:19:25:236 ldap_unbind status: 0x0
06/17/2013 12:19:25:236 NetpJoinDomainOnDs: Function exits with status of: 0x3eb
06/17/2013 12:19:25:236 NetpJoinDomainOnDs: status of disconnecting from '\\samba4testserve.sscc.ctd.xxxxx.com': 0x0
06/17/2013 12:19:25:236 NetpDoDomainJoin: status: 0x3eb
Comment 1 Alberto Diaz 2013-07-03 08:47:46 UTC
Upgraded to samba 4.0.7, same errors
Comment 2 Alberto Diaz 2013-09-05 11:01:56 UTC
Upgraded to samba 4.0.9, same errors
Comment 3 Andrew Bartlett 2013-09-05 23:13:44 UTC
(In reply to comment #2)
> Upgraded to samba 4.0.9, same errors

I think we need to to have the creation of the RID set be done 'as_system'.
Comment 4 Andrew Bartlett 2016-10-28 09:13:13 UTC
A patch for this is at: http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/rid-set-clive

As to how this happens, what I see is:

Samba joins a domain, and joins a DC that is not the RID Master.  

After startup, because the new server has no RID Set, it attempts to contact the RID Master to get one.  If that fails, it can't add users. 

If Samba is later made the RID master by force (seizing the role), the automatic task to create a RID set won't operate.

Instead, the creation of the first user should create the RID set, but because that is an LDAP user in this case, not via samba-tool the operation is not done 'as system', so it fails. 

This effectively prevents joining new machines, additional domain controllers or adding users to the domain, rendering it inert. 

The fix is to have samba-tool dbcheck able to detect a RID master with no rid set, and to have the seize and transfer commands also allocate a RID set if required.  The code to add a RID set when adding users also needs to be fixed.

Finally, if we join a DC who is the RID master, we should move the RID Set allocation to the join, to make things more failsafe in this common situation. 

To test, we will join Samba as a DC to a DC that is the RID master, and confirm that the RID set is present.  

We will then join Samba as a DC to a DC that is NOT the RID master, and then (offline) seize the role.  We will confirm we get a RID Set at this point. 

Finally, to test the new logic in the patches to fix duplicate SIDs, we will then add 500 users to the live DC, then 'samba-tool drs replicate --local' the changes into the new offline DC, and then add a user locally.  This will fail with a RID collision.  Running dbcheck should cause us to change the rIDNextRID value until there is no collision. 

To test that dbcheck can recover a DC that has already seized the RID manager role (pre upgrade), we will take a copy of the joined DB, do the seize with an LDAP modify, and confirm the dbcheck adds the RID set.  This should help cover the case where we are 'given' the RID manager role over DRS.  

Likewise, to test that adding a user to an DC that has already seized the RID manager role (pre upgrade), we will take a copy of the joined DB, do the seize with an LDAP modify, and confirm that samba-tool user add works against the local DB.
Comment 5 Andrew Bartlett 2016-11-01 08:07:54 UTC
Created attachment 12620 [details]
specific patch for this issue (for master)

Patches for this will be posted to samba-technical shortly.

The exact patch for this is tiny, but we are taking steps to make this much less likely to happen in the future.

In particular, that will be by making the 'fsmo sieze' operation allocate a RID Set if required, and remotely allocating a RID set at the join when possible.
Comment 6 Andrew Bartlett 2016-11-01 23:05:57 UTC
Comment on attachment 12620 [details]
specific patch for this issue (for master)

This patch is wrong. 

The issue is (and always has been) that the RELAX flag, and so also the AS_SYSTEM flag, is stripped off by the rootdse module, due to FLAG_TOP_MODULE.

We will instead remove the add-on-demand of the RID set, and have dreplsrv crate it at startup.
Comment 7 Andrew Bartlett 2016-11-04 09:54:19 UTC
Fixed in master with 815658d2db46e4accdd35f5925585ec1f1c3d74f

Hopefully we can land some more patches to have us allocate a RID Set at join time (rather than first boot), but this should at least address the main issue.