Hi all, I added a secondary Samba DC (Sernet rpm package 4.1.9) and noticed that sometimes samba-tool executes "group addmembers" and "group removemembers" commands without result. My further investigations led me to the samdb.py file where member account records to be added are retrieved from ldb: -------------------------------------------------------------- for member in members: targetmember = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE, expression="(|(sAMAccountName=%s)(CN=%s))" % ( ldb.binary_encode(member), ldb.binary_encode(member)), attrs=[]) if len(targetmember) != 1: continue if add_members_operation is True and (targetgroup[0].get('member') is None or str(targetmember[0].dn) not in targetgroup[0]['member']): modified = True addtargettogroup += """add: member member: %s -------------------------------------------------------------- In the case when a person's short user name is the same as his/hers computer's account search with the filter "(|(sAMAccountName=%s)(CN=%s))" returns entries for both accounts: -------------------------------------------------------------- [root@bongo ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=PSB.ldb '(|(sAMAccountName=pavel)(CN=pavel))' dn sAMAccountName cn # record 1 dn: CN=Pavel Milev,CN=Users,DC=psb cn: Pavel Milev sAMAccountName: pavel # record 2 dn: CN=PAVEL,CN=Computers,DC=psb cn: PAVEL sAMAccountName: PAVEL$ # returned 2 records # 2 entries # 0 referrals -------------------------------------------------------------- which in turn drops the member from the list of members to be added. The command exits without any warning/error message which would be helpful in case there is something wrong with the member list. ATB, Pavel
If user and computer have same name (cn in LDAP differ only case, sAMAccountName differ), it cannot add to group.
Closing bug report, the code has vastly changed since this was reported.