This article describes how to renew RID Pools. In UCS@school environments this is not necessary and useful, because in school environments the SID is provided by openLDAP and not from Samba.
No new RID’s/objects can be created
The problem can be characterized by the following message especially when joining Windows clients:
<Message currently not available>
There are no new RID’s free for the award - a new RID pool can be allocated:
1. Find current range
Each Samba 4 DC has its own RID-Pool. These pools are saved as seperate objects in the LDB underneath “their” computer object.
Because the needed attributes for this article, Attribute rIDAllocationPool and rIDNextRID, are not replicated via DRS, they are only found locally:
ldbsearch -H /var/lib/samba/private/sam.ldb \ CN="RID Set" \ -b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)"
# record 1 dn: CN=RID Set,CN=MASTER,OU=Domain Controllers,DC=domain,DC=s4 objectClass: top objectClass: rIDSet cn: RID Set instanceType: 4 whenCreated: 20131121092552.0Z whenChanged: 20131121092552.0Z uSNCreated: 3586 uSNChanged: 3586 showInAdvancedViewOnly: TRUE name: RID Set objectGUID: f68e16fc-e5c7-4471-bd2a-ba223e09a718 rIDAllocationPool: 1100-1599 rIDPreviousAllocationPool: 1100-1599 rIDUsedPool: 0 objectCategory: CN=RID-Set,CN=Schema,CN=Configuration,DC=domain,DC=s4 rIDNextRID: 1125 distinguishedName: CN=RID Set,CN=MASTER,OU=Domain Controllers,DC=domain,DC=s4
rIDAllocationPool shows the current pool.
rIDNextRID shows the last successfully given RID. In some situations some spaces within this range are already awared and blocked.
2. Allocate a new pool
It’s not sufficient to only change this data locally. That’s why you should navigate to the system with the FSMO-role “RID Allocation Master” (the system which normally awards RID-Pools “samba-tool fsmo show”) and allocate a new pool for your system there!
Just set rIDNextRID locally to the last possible value from the range:
ldbedit -H /var/lib/samba/private/sam.ldb \ CN="RID Set" \ -b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)"
ldbedit” opens the object in an editor. Per default this is vi.
rIDNextRID can be edited diretcly. In the above example the last possbile value would be 1599 (last RID from Pool - 1100-1599).
If you add a new user then locally, the system recognizes that there are no RID’s left and asks the RID Allocation master for a new Pool.:
samba-tool user add testbenutzer2 "Passwort123" samba-tool user delete testbenutzer2