On Tue, 2013-07-23 at 20:38 +0100, Jonathan Hunter wrote: > Hi, > > In time honoured fashion I am replying to my own post, as I think I have > figured out a workaround to my issue. Hopefully this will help others - > here's what I did. > > On 22 July 2013 22:01, Jonathan Hunter <jmhunt...@gmail.com> wrote: > > > Now, I try to join the new server (CentOS 6.4 clean install; Samba 4.0.7 > > from source), but I get the following: > > > [...] > > > ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM > > - <00002035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set > > DN - Failed to add RID Set CN=RID Set,CN=EXISTING-DC,OU=Domain > > Controllers,DC=mydomain,DC=org - objectclass: object class 'rIDSet' is > > system-only, rejecting creation of 'CN=RID Set,CN=EXISTING-DC,OU=Domain > > Controllers,DC=mydomain,DC=org'!> <> > > > > > > After some careful googling, and trying to figure out what the heck a RID > Set was, and why it couldn't be added, I discovered it was a property of a > domain controller, and I think I should really have one against my existing > DC - but I didn't. > > First step was ADSI Edit, to create it - but then I discovered that whilst > ADSI Edit can create many things, a RID Set is not one of them. > > Second step was LDIFDE, I exported the RID Set from my other DC (in the > other site), edited the LDIF to make a new RID Set for my existing DC - but > couldn't import it ("The server is unwilling to process the request") > > Finally I hit upon the plan of transferring the RIDAllocationMaster FSMO > role across between the DCs: > > second-existing-dc# samba-tool fsmo seize --role=rid > Attempting transfer... > FSMO transfer of 'rid' role successful > ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify > message must have elements/attributes! > > The transfer was successful, but some kind of error occurred.. (!)
The error is a red herring, resolved in current versions. There wasn't actually an error :-) > But, I was able to transfer the role back to the first DC - and this time, > a RID Set finally appeared in AD! I did, however, get exactly the same > error. This happened however many times I transfer the role, and for any > role (I tried all of them :-)) > > existing-dc# samba-tool fsmo seize --role=rid > Attempting transfer... > FSMO transfer of 'rid' role successful > ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify > message must have elements/attributes! > > Still.. I have now been able to successfully join my domain - which does > solve my initial problem, so I'm happy there at least. > > (Interestingly, my shiny new DC does not have a RID Set.. I'm not yet sure > if this is good, or bad! :)) A DC should ask for a RID set to be created shortly after starting up, and certainly an attempt to create users is made. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba