Bug 10744 - samba-tool does not add a group member. Probably wrong ldap search filter
Summary: samba-tool does not add a group member. Probably wrong ldap search filter
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.1.9
Hardware: x86 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-25 14:50 UTC by jdbc
Modified: 2020-05-05 08:27 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description jdbc 2014-07-25 14:50:26 UTC
Hi all,
I added a secondary Samba DC (Sernet rpm package 4.1.9) and noticed that sometimes samba-tool executes "group addmembers" and "group removemembers" commands without result.
My further investigations led me to the samdb.py file where member account records to be added are retrieved from ldb:
--------------------------------------------------------------
 for member in members:
                targetmember = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
                                    expression="(|(sAMAccountName=%s)(CN=%s))" % (
                    ldb.binary_encode(member), ldb.binary_encode(member)), attrs=[])

                if len(targetmember) != 1:
                    continue

                if add_members_operation is True and (targetgroup[0].get('member') is None or str(targetmember[0].dn) not in targetgroup[0]['member']):
                    modified = True
                    addtargettogroup += """add: member
member: %s
--------------------------------------------------------------
In the case when a person's short user name is the same as his/hers computer's account search with the filter "(|(sAMAccountName=%s)(CN=%s))" returns entries for both accounts:
--------------------------------------------------------------
[root@bongo ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=PSB.ldb '(|(sAMAccountName=pavel)(CN=pavel))' dn sAMAccountName cn
# record 1
dn: CN=Pavel Milev,CN=Users,DC=psb
cn: Pavel Milev
sAMAccountName: pavel

# record 2
dn: CN=PAVEL,CN=Computers,DC=psb
cn: PAVEL
sAMAccountName: PAVEL$

# returned 2 records
# 2 entries
# 0 referrals
--------------------------------------------------------------

which in turn drops the member from the list of members to be added.

The command exits without any warning/error message which would be helpful  in case there is something wrong with the member list.

ATB,
Pavel
Comment 1 Andrey Cherepanov 2014-10-15 12:42:30 UTC
If user and computer have same name (cn in LDAP differ only case, sAMAccountName differ), it cannot add to group.
Comment 2 Rowland Penny 2020-05-05 08:27:43 UTC
Closing bug report, the code has vastly changed since this was reported.