Re: [Samba] Samba4 join new DC: No RID Set DN - Failed to add RID Set
Hi, In time honoured fashion I am replying to my own post, as I think I have figured out a workaround to my issue. Hopefully this will help others - here's what I did. On 22 July 2013 22:01, Jonathan Hunter jmhunt...@gmail.com wrote: Now, I try to join the new server (CentOS 6.4 clean install; Samba 4.0.7 from source), but I get the following: [...] ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - 2035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set DN - Failed to add RID Set CN=RID Set,CN=EXISTING-DC,OU=Domain Controllers,DC=mydomain,DC=org - objectclass: object class 'rIDSet' is system-only, rejecting creation of 'CN=RID Set,CN=EXISTING-DC,OU=Domain Controllers,DC=mydomain,DC=org'! After some careful googling, and trying to figure out what the heck a RID Set was, and why it couldn't be added, I discovered it was a property of a domain controller, and I think I should really have one against my existing DC - but I didn't. First step was ADSI Edit, to create it - but then I discovered that whilst ADSI Edit can create many things, a RID Set is not one of them. Second step was LDIFDE, I exported the RID Set from my other DC (in the other site), edited the LDIF to make a new RID Set for my existing DC - but couldn't import it (The server is unwilling to process the request) Finally I hit upon the plan of transferring the RIDAllocationMaster FSMO role across between the DCs: second-existing-dc# samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! The transfer was successful, but some kind of error occurred.. (!) But, I was able to transfer the role back to the first DC - and this time, a RID Set finally appeared in AD! I did, however, get exactly the same error. This happened however many times I transfer the role, and for any role (I tried all of them :-)) existing-dc# samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! Still.. I have now been able to successfully join my domain - which does solve my initial problem, so I'm happy there at least. (Interestingly, my shiny new DC does not have a RID Set.. I'm not yet sure if this is good, or bad! :)) Hopefully this post will be helpful to somebody in the future... Just a note, however - I hardly ever check this gmail account, so please don't rely on a speedy response if you do see this post and want to reply to me personally! Thanks all, Jonathan -- If we knew what it was we were doing, it would not be called research, would it? - Albert Einstein -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 join new DC: No RID Set DN - Failed to add RID Set
On Tue, 2013-07-23 at 20:38 +0100, Jonathan Hunter wrote: Hi, In time honoured fashion I am replying to my own post, as I think I have figured out a workaround to my issue. Hopefully this will help others - here's what I did. On 22 July 2013 22:01, Jonathan Hunter jmhunt...@gmail.com wrote: Now, I try to join the new server (CentOS 6.4 clean install; Samba 4.0.7 from source), but I get the following: [...] ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - 2035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set DN - Failed to add RID Set CN=RID Set,CN=EXISTING-DC,OU=Domain Controllers,DC=mydomain,DC=org - objectclass: object class 'rIDSet' is system-only, rejecting creation of 'CN=RID Set,CN=EXISTING-DC,OU=Domain Controllers,DC=mydomain,DC=org'! After some careful googling, and trying to figure out what the heck a RID Set was, and why it couldn't be added, I discovered it was a property of a domain controller, and I think I should really have one against my existing DC - but I didn't. First step was ADSI Edit, to create it - but then I discovered that whilst ADSI Edit can create many things, a RID Set is not one of them. Second step was LDIFDE, I exported the RID Set from my other DC (in the other site), edited the LDIF to make a new RID Set for my existing DC - but couldn't import it (The server is unwilling to process the request) Finally I hit upon the plan of transferring the RIDAllocationMaster FSMO role across between the DCs: second-existing-dc# samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! The transfer was successful, but some kind of error occurred.. (!) The error is a red herring, resolved in current versions. There wasn't actually an error :-) But, I was able to transfer the role back to the first DC - and this time, a RID Set finally appeared in AD! I did, however, get exactly the same error. This happened however many times I transfer the role, and for any role (I tried all of them :-)) existing-dc# samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! Still.. I have now been able to successfully join my domain - which does solve my initial problem, so I'm happy there at least. (Interestingly, my shiny new DC does not have a RID Set.. I'm not yet sure if this is good, or bad! :)) A DC should ask for a RID set to be created shortly after starting up, and certainly an attempt to create users is made. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 join new DC: No RID Set DN - Failed to add RID Set
On 23 July 2013 21:37, Andrew Bartlett abart...@samba.org wrote: On 22 July 2013 22:01, Jonathan Hunter jmhunt...@gmail.com wrote: second-existing-dc# samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! The error is a red herring, resolved in current versions. There wasn't actually an error :-) Ahh great - thank you! :) (Interestingly, my shiny new DC does not have a RID Set.. I'm not yet sure if this is good, or bad! :)) A DC should ask for a RID set to be created shortly after starting up, and certainly an attempt to create users is made. OK. At this point I must admit to being impatient, and I did the 'fsmo seize' trick a couple of times again, to get a RID set for my new server. I didn't realise (or know!) that there was, or could be, a short delay... although, during my 'fsmo seize' on one DC, and 'fsmo show' on another DC, I did realise there was a delay in replication at the very least. I should also at least mention that when I tried 'fsmo seize --role=all', it just seized the rid role and no others - I had to run each one manually. Not sure if that was an error in my setup, or a bug in samba-tool, but that was only a minor hiccup in my larger exercise. Anyway, I'm on to my next challenge now in my 'setting up new server' saga, so that's good - thank you very much! :) Jonathan -- If we knew what it was we were doing, it would not be called research, would it? - Albert Einstein -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 join new DC: No RID Set DN - Failed to add RID Set
Hi, I have a Samba4 domain consisting of two 4.0.6 Samba servers, in two different AD sites. I am trying to join a new 4.0.7 Samba server as a DC. Previously, I had had some issues caused by hardware failure of one of the DCs; I have learnt my lesson about checking backups properly, as it took me a surprisingly (for me) long time to recover from this (there was no FSMO after the failure and I had to use ADSI Edit to fix this). However, everything has been running fine since then - up till now. Now, I try to join the new server (CentOS 6.4 clean install; Samba 4.0.7 from source), but I get the following: (edited out to remove domain name) [root@newdc ~]# samba-tool domain join mydomain.org DC -UMYDOMAIN\\administrator --realm=mydomain.org Finding a writeable DC for domain 'mydomain.org' Found DC existing-dc.mydomain.org Password for [MYDOMAIN\administrator]: workgroup is MYDOMAIN realm is mydomain.org checking sAMAccountName Adding CN=NEWDC,OU=Domain Controllers,DC=mydomain,DC=org Join failed - cleaning up checking sAMAccountName ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - 2035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set DN - Failed to add RID Set CN=RID Set,CN=EXISTING-DC,OU=Domain Controllers,DC=mydomain,DC=org - objectclass: object class 'rIDSet' is system-only, rejecting creation of 'CN=RID Set,CN=EXISTING-DC,OU=Domain Controllers,DC=mydomain,DC=org'! File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 1104, in join_DC ctx.do_join() File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 1007, in do_join ctx.join_add_objects() File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 499, in join_add_objects ctx.samdb.add(rec) I think this is the same issue as in bug 9954: https://bugzilla.samba.org/show_bug.cgi?id=9954 and in this previous post (I couldn't find a response to): https://lists.samba.org/archive/samba-technical/2013-April/091668.html I'm not adverse to a bit of ADSI Edit or similar - but I don't really know where to start with this.. Any ideas? Thanks! Jonathan -- If we knew what it was we were doing, it would not be called research, would it? - Albert Einstein -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
