Samba 4 - RID Pool renewal

servicesforwindows
ucs3

#1

Hint:

This article describes how to renew RID Pools. In UCS@school environments this is not necessary and useful, because in school environments the SID is provided by openLDAP and not from Samba.


Problem:

No new RID’s/objects can be created
The problem can be characterized by the following message especially when joining Windows clients:

<Message currently not available>

Solution:

There are no new RID’s free for the award - a new RID pool can be allocated:

1. Find current range

Each Samba 4 DC has its own RID-Pool. These pools are saved as seperate objects in the LDB underneath “their” computer object.
Because the needed attributes for this article, Attribute rIDAllocationPool and rIDNextRID, are not replicated via DRS, they are only found locally:

ldbsearch -H /var/lib/samba/private/sam.ldb \
CN="RID Set" \
-b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)"

e.g.:

# record 1
dn: CN=RID Set,CN=MASTER,OU=Domain Controllers,DC=domain,DC=s4
objectClass: top
objectClass: rIDSet
cn: RID Set
instanceType: 4
whenCreated: 20131121092552.0Z
whenChanged: 20131121092552.0Z
uSNCreated: 3586
uSNChanged: 3586
showInAdvancedViewOnly: TRUE
name: RID Set
objectGUID: f68e16fc-e5c7-4471-bd2a-ba223e09a718
rIDAllocationPool: 1100-1599
rIDPreviousAllocationPool: 1100-1599
rIDUsedPool: 0
objectCategory: CN=RID-Set,CN=Schema,CN=Configuration,DC=domain,DC=s4
rIDNextRID: 1125
distinguishedName: CN=RID Set,CN=MASTER,OU=Domain Controllers,DC=domain,DC=s4

The attribute rIDAllocationPool shows the current pool.
The attribute rIDNextRID shows the last successfully given RID. In some situations some spaces within this range are already awared and blocked.

2. Allocate a new pool

It’s not sufficient to only change this data locally. That’s why you should navigate to the system with the FSMO-role “RID Allocation Master” (the system which normally awards RID-Pools “samba-tool fsmo show”) and allocate a new pool for your system there!
Just set rIDNextRID locally to the last possible value from the range:

ldbedit -H /var/lib/samba/private/sam.ldb \
CN="RID Set" \
-b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)"

ldbedit” opens the object in an editor. Per default this is vi.
The attrbiute rIDNextRID can be edited diretcly. In the above example the last possbile value would be 1599 (last RID from Pool - 1100-1599).

If you add a new user then locally, the system recognizes that there are no RID’s left and asks the RID Allocation master for a new Pool.:

samba-tool user add testbenutzer2 "Passwort123"
samba-tool user delete testbenutzer2 

No RID Pool for Slave DC