[Samba] unique index violation on objectSid

Perhaps you don't have yet duplicate objectSid as that's not supposed to be
possible.
Rather than scripting something to look for objectSid used twice I would
start with dbcheck and other tools to verify that your database is
consistent and identical on all servers.

Post by Zhuchenko Valery
Hi all!
samba-tool user create test20160627 testpassword
ERROR(ldb): Failed to add user 'test20160627': -
../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in
unique index violation on objectSid in CN=test20160627,CN=Users,DC=ad...
Help me please, how to find which objectSid is not unique?
I have 3 DC's on centos 7, samba 4.1 (I know, old version).
Valery
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Zhuchenko Valery

2016-06-28 06:00:23 UTC

Post by mathias dufresne
Perhaps you don't have yet duplicate objectSid as that's not supposed to be
possible.
Rather than scripting something to look for objectSid used twice I would
start with dbcheck and other tools to verify that your database is
consistent and identical on all servers.

[***@pdc ~]# samba-tool dbcheck
Checking 3346 objects
Checked 3346 objects (0 errors)

[***@bdc ~]# samba-tool dbcheck
Checking 3346 objects
Checked 3346 objects (0 errors)

[***@dc46 ~]# samba-tool dbcheck
Checking 3346 objects
Checked 3346 objects (0 errors)

[***@pdc ~]# samba-tool ldapcmp ldap://pdc ldap://bdc -Uadministrator
--filter=msDS-NcType,serverState,subrefs,whenChanged
Password for [administrator]:
* Comparing [DOMAIN] context...
* Objects to be compared: 3207
* Result for [DOMAIN]: SUCCESS
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1621
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1550
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 196
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 19
* Result for [DNSFOREST]: SUCCESS

[***@pdc ~]# samba-tool ldapcmp ldap://pdc ldap://dc46 -Uadministrator
--filter=msDS-NcType,serverState,subrefs,whenChanged
Password for [administrator]:
* Comparing [DOMAIN] context...
* Objects to be compared: 3207
* Result for [DOMAIN]: SUCCESS
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1621
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1550
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 196
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 19
* Result for [DNSFOREST]: SUCCESS

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Zhuchenko Valery

2016-06-28 11:05:38 UTC

I'm understand, why I get error about unique index violation on objectSid:

samba-tool fsmo show
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,...

Last created object have objectSid
S-1-5-21-763247336-2482037999-3416227170-2001 (it is record for computer)
Last symbols is 2001, and last assigned RID is 2001:

[***@pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb CN="RID Set"
# record 3
dn: CN=RID Set,CN=PDC,OU=Domain Controllers,...
rIDNextRID: 2001
rIDPreviousAllocationPool: 1600-2099
rIDUsedPool: 1
rIDAllocationPool: 2600-3099

https://support.microsoft.com/en-us/kb/305475
RidNextRid The RID that was assigned to the last security principal that
was created on the local domain controller.
RidPreviousAllocationPool The pool from which RIDs are currently taken
RidAllocationPool Each domain controller has two pools: the one that
they are currently acting on, and the pool that they will use next. It
is the next pool

I think, next RID is 2002?
Try to search:
[***@pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=AD\,...
objectSid
dn: CN=username\0ADEL:a230f645-268d-4ea9-8993-da3ae7032b4a,CN=Deleted
Objects,DC=ad,...
objectSid: S-1-5-21-763247336-2482037999-3416227170-2002
it is deleted, but exists.

What I can do to solve my problem? May be change rIDNextRID to 2099 on
RID Master?

Valery

Checking 3346 objects
Checked 3346 objects (0 errors)
Checking 3346 objects
Checked 3346 objects (0 errors)
Checking 3346 objects
Checked 3346 objects (0 errors)
--filter=msDS-NcType,serverState,subrefs,whenChanged
* Comparing [DOMAIN] context...
* Objects to be compared: 3207
* Result for [DOMAIN]: SUCCESS
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1621
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1550
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 196
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 19
* Result for [DNSFOREST]: SUCCESS
--filter=msDS-NcType,serverState,subrefs,whenChanged
* Comparing [DOMAIN] context...
* Objects to be compared: 3207
* Result for [DOMAIN]: SUCCESS
* Comparing [CONFIGURATION] context...
* Objects to be compared: 1621
* Result for [CONFIGURATION]: SUCCESS
* Comparing [SCHEMA] context...
* Objects to be compared: 1550
* Result for [SCHEMA]: SUCCESS
* Comparing [DNSDOMAIN] context...
* Objects to be compared: 196
* Result for [DNSDOMAIN]: SUCCESS
* Comparing [DNSFOREST] context...
* Objects to be compared: 19
* Result for [DNSFOREST]: SUCCESS

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-06-28 11:50:22 UTC

Hi Valery,

First thank you for this detailed information about your searches. I find
them very interesting.

Here I'm thinking of two workarounds. The first one would be to list
deleted objects RIDs, to verify RID=2002 is really the last one used, being
sure there is no deleted object with RID=2003 and so on. Then once you get
the last RID used, you could change RidNextRid to match this maximum value
of used RID.
The second would be a lazy action: change tombstoneLifetime which is by
default 180 days to only 1 day. Doing that tomorrow all deleted objects
will be deleted and if you are lucky - I can't guaranty that will work -
you will able to reuse these RIDs.

Hoping this helps...

M.

Post by Zhuchenko Valery
samba-tool fsmo show
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,...
Last created object have objectSid
S-1-5-21-763247336-2482037999-3416227170-2001 (it is record for computer)
# record 3
dn: CN=RID Set,CN=PDC,OU=Domain Controllers,...
rIDNextRID: 2001
rIDPreviousAllocationPool: 1600-2099
rIDUsedPool: 1
rIDAllocationPool: 2600-3099
https://support.microsoft.com/en-us/kb/305475
RidNextRid The RID that was assigned to the last security principal that
was created on the local domain controller.
RidPreviousAllocationPool The pool from which RIDs are currently taken
RidAllocationPool Each domain controller has two pools: the one that
they are currently acting on, and the pool that they will use next. It
is the next pool
I think, next RID is 2002?
objectSid
dn: CN=username\0ADEL:a230f645-268d-4ea9-8993-da3ae7032b4a,CN=Deleted
Objects,DC=ad,...
objectSid: S-1-5-21-763247336-2482037999-3416227170-2002
it is deleted, but exists.
What I can do to solve my problem? May be change rIDNextRID to 2099 on
RID Master?
Valery

Post by mathias dufresne
Perhaps you don't have yet duplicate objectSid as that's not supposed

to be

Post by mathias dufresne
possible.
Rather than scripting something to look for objectSid used twice I would
start with dbcheck and other tools to verify that your database is
consistent and identical on all servers.

CN=test20160627,CN=Users,DC=ad...

Post by Zhuchenko Valery
Help me please, how to find which objectSid is not unique?
I have 3 DC's on centos 7, samba 4.1 (I know, old version).
Valery

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Zhuchenko Valery

2016-06-28 12:44:28 UTC

Post by mathias dufresne
Here I'm thinking of two workarounds. The first one would be to list
deleted objects RIDs, to verify RID=2002 is really the last one used,
being sure there is no deleted object with RID=2003 and so on. Then once
you get the last RID used, you could change RidNextRid to match this
maximum value of used RID.

It is safe to change RidNextRid? I correctly understand that RidNextRid
should be changed on the DC, where rIDPreviousAllocationPool contains
RID of last created object?

Post by mathias dufresne
The second would be a lazy action: change tombstoneLifetime which is by
default 180 days to only 1 day. Doing that tomorrow all deleted objects
will be deleted and if you are lucky - I can't guaranty that will work -
you will able to reuse these RIDs.

No, to only 1 day is it impossible:
https://technet.microsoft.com/en-us/library/dd392260(v=ws.10).aspx If
the value is less than 3 days, the tombstone lifetime is 3 days.

Post by mathias dufresne
Hoping this helps...

And I...

Valery

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-06-28 14:44:25 UTC

I love diving : )

It is safe to change RidNextRid? I correctly understand that RidNextRid
should be changed on the DC, where rIDPreviousAllocationPool contains
RID of last created object?

No idea if it is safe. I just meant that's I would try : )
About where to change it, not much more idea. I would change it on the DC
you tried to add user because this is the DC which refused to use the RID
pool it was given because RidNextRid contains a value too low compared to
already given RID.
I did searched on my FSMO owner for " CN=RID Set" and I receive one answer
per DC. Each with different rIDAllocationPool of course.
I believe I read something here about something not replicated (no time to
re-read the whole thread carefully enough, sorry), if you change rIDNextRID
by hand just check on others DC your change is replicated, to keep a DB
consistent. I expect it is replicated, that would be a simple way for FSMO
RID master to know it has to give more RIDs pools.

https://technet.microsoft.com/en-us/library/dd392260(v=ws.10).aspx If
the value is less than 3 days, the tombstone lifetime is 3 days.

1 day is accepted by Samba DB. I did tried : )
I'm not sure if my objects were deleted just 24 hours after the change or
earlier or later. Anyway 1 or 3 days could be an acceptable delay to
auto-solve an unsolvable issue. At least for me it seems acceptable ;)
The point of that change is you are diving into unknown when playing with
RID pool data seems a bit of a dive.

Post by mathias dufresne
Hoping this helps...

And I...
Valery

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Zhuchenko Valery

2016-06-29 07:11:25 UTC

Post by mathias dufresne
I love diving : )

I have dived. :)

Replacement of RidNextRid to last value of rIDPreviousAllocationPool
allows to solve this problem (at least temporarily).

I am begun from RID master:

[***@pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb CN="RID Set"
-b CN="PDC,OU=Domain Controllers,DC=ad,..."
rIDPreviousAllocationPool: 1600-2099 (current pool, in my case)
rIDAllocationPool: 2600-3099 (next pool)

Then take ldbedit with same parameters and change rIDNextRID to 2099 (I
think, this can be do via ADSIEdit, connected to this controller, in XP
, but not in Win7...)

But after that is necessary to create new objects on the controller,
where rIDNextRID was changed (via ADUC, connect to this controller, or
via samba-tool, shell on this controller)

Im my case, on RID master new values of rIDPreviousAllocationPool and
rIDAllocationPool now 2600-3099 both, I am don't know, what does it
mean, but I think it is because on other controllers used range
3100-3599, and master will recalculate pools to new values.

It is possible to look at ranges and distribution of values approximately so
[***@pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=AD...ldb
objectSid |grep objectSid|sort|less

This operation should be repeated locally on each controller after at
the RID master everything is corrected, then the RID ranges on
controllers will correctly change, I think, but I didn't check.

Valery.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Zhuchenko Valery

2016-06-28 11:57:17 UTC

The problem is 'RidNextRid' doesn't contain (as you would expect) the
next RID, it contains the last RID used.

Yes, Rowland, I am agree with you.

If I change RidNextRid by hands on RID master to last value of
RidPreviousAllocationPool (to 2099, because RidPreviousAllocationPool:
1600-2099 in my case), master change pool to new (which is
rIDAllocationPool: 2600-3099), it is right?

Valery

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-06-28 15:00:36 UTC

Post by mathias dufresne
I love diving : )

Ok mathias,

Can you explain this.
This i dont get....

Why is this output so different, and i dont mean the difference with NTDOMAIN\..

See the groups differences... between a ADDC and a member server..

Samba 4.4.3 ADDC
id someusername

uid=10002(NTDOMAIN\someusername) gid=10000(NTDOMAIN\domain users) groups=10000(NTDOMAIN\domain users),3000053(NTDOMAIN\sng-certificaat-gpo),10005(NTDOMAIN\remote-webmail),
3000058(NTDOMAIN\usb-lees-toegang),10003(NTDOMAIN\server-aftermath),10008(NTDOMAIN\servers-www),3000154(NTDOMAIN\remote-xenservers),
3000118(NTDOMAIN\cddvd-schrijf-toegang),3000030(NTDOMAIN\remote-toegang-pcs),3000117(NTDOMAIN\cddvd-lees-toegang),3000059(NTDOMAIN\usb-schrijf-toegang),
3000148(NTDOMAIN\gitslinux-gebruikers),3000043(NTDOMAIN\afd-itdep),3000173(NTDOMAIN\dnsadmins),3000038(NTDOMAIN\vest-rotterdam),3000039(NTDOMAIN\allen),
3000065(NTDOMAIN\vertrouwde-websites),3000040(NTDOMAIN\boven),3000004(NTDOMAIN\group policy creator owners),3000005(NTDOMAIN\denied rodc password replication group),
10004(NTDOMAIN\servers-ssh),3000174(NTDOMAIN\lokaleprinter-xerox11hp),3000176(NTDOMAIN\alle-schijftoegang),3000005(NTDOMAIN\denied rodc password replication group),
3000173(NTDOMAIN\dnsadmins),3000009(BUILTIN\users)

Samba 4.4.3 Member server.
id someusername

uid=10002(someusername) gid=10000(domain users) groups=10000(domain users),27(sudo),116(lpadmin),10005(remote-webmail),10003(server-aftermath),
10008(servers-www),10004(servers-ssh),10009(alle-schijftoegang),2001(BUILTIN\users)

Now if i add this user on the member server in the sudo group...
you see : 27(sudo)

same on the ADDC, nothing .. but the use IS added to the local group sudo.
I checked the /etc/group

Very strange imo..

Greetz,

Louis

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-06-29 06:15:51 UTC

Hi Rowland,

Yes, thats done, the domain user exist on both servers in local sudo group.
But why do i see much more groups on the ADDC, and even groups where this user is NOT member of, like 3000005(NTDOMAIN\denied rodc password replication group).

See .. 2x
3000005(NTDOMAIN\denied rodc password replication group
3000005(NTDOMAIN\denied rodc password replication group

Greetz,

Louis

-----Oorspronkelijk bericht-----
Verzonden: dinsdag 28 juni 2016 17:23
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] id username output ADDC and Member.

Post by L.P.H. van Belle

Post by mathias dufresne
I love diving : )

Ok mathias,
Can you explain this.
This i dont get....
Why is this output so different, and i dont mean the difference with

NTDOMAIN\..

Post by L.P.H. van Belle
See the groups differences... between a ADDC and a member server..
Samba 4.4.3 ADDC
id someusername
uid=10002(NTDOMAIN\someusername) gid=10000(NTDOMAIN\domain users)

groups=10000(NTDOMAIN\domain users),3000053(NTDOMAIN\sng-certificaat-
gpo),10005(NTDOMAIN\remote-webmail),

Post by L.P.H. van Belle
3000058(NTDOMAIN\usb-lees-toegang),10003(NTDOMAIN\server-

aftermath),10008(NTDOMAIN\servers-www),3000154(NTDOMAIN\remote-
xenservers),

Post by L.P.H. van Belle
3000118(NTDOMAIN\cddvd-schrijf-toegang),3000030(NTDOMAIN\remote-toegang-

pcs),3000117(NTDOMAIN\cddvd-lees-toegang),3000059(NTDOMAIN\usb-schrijf-
toegang),

Post by L.P.H. van Belle
3000148(NTDOMAIN\gitslinux-gebruikers),3000043(NTDOMAIN\afd-

itdep),3000173(NTDOMAIN\dnsadmins),3000038(NTDOMAIN\vest-
rotterdam),3000039(NTDOMAIN\allen),

Post by L.P.H. van Belle
3000065(NTDOMAIN\vertrouwde-

websites),3000040(NTDOMAIN\boven),3000004(NTDOMAIN\group policy creator
owners),3000005(NTDOMAIN\denied rodc password replication group),

Post by L.P.H. van Belle
10004(NTDOMAIN\servers-ssh),3000174(NTDOMAIN\lokaleprinter-

xerox11hp),3000176(NTDOMAIN\alle-schijftoegang),3000005(NTDOMAIN\denied
rodc password replication group),

Post by L.P.H. van Belle
3000173(NTDOMAIN\dnsadmins),3000009(BUILTIN\users)
Samba 4.4.3 Member server.
id someusername
uid=10002(someusername) gid=10000(domain users) groups=10000(domain

users),27(sudo),116(lpadmin),10005(remote-webmail),10003(server-
aftermath),

Post by L.P.H. van Belle
10008(servers-www),10004(servers-ssh),10009(alle-

schijftoegang),2001(BUILTIN\users)

Post by L.P.H. van Belle
Now if i add this user on the member server in the sudo group...
you see : 27(sudo)
same on the ADDC, nothing .. but the use IS added to the local group

sudo.

Post by L.P.H. van Belle
I checked the /etc/group
Very strange imo..
Greetz,
Louis

Hi Louis, No, not strange, you need to add the user with the DOMAIN to
the sudo group on the DC
i.e. useradd SAMDOM/rowland sudo
uid=10000(SAMDOM\rowland) gid=10000(SAMDOM\domain users)
groups=10000(SAMDOM\domain
users),27(sudo),3000025(SAMDOM\dnsadmins),3000009(BUILTIN\users)
Lets see if Mathias knows :-)
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-06-30 09:01:11 UTC