Bug 10863 - ldif "dn" prefixes case sensitivity (and primaryGroupID module)
ldif "dn" prefixes case sensitivity (and primaryGroupID module)
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.1.12
All Linux
: P5 normal
: 4.3
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-09 11:35 UTC by PELLEGRIN Baptiste
Modified: 2014-11-29 10:11 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description PELLEGRIN Baptiste 2014-10-09 11:35:30 UTC
Hi samba team !

I have found a very strange bug when changing my user's primaryGroupID with ldif files. The bug is very easy to reproduce :

1) Create a user, create a group, add the user to the group
-------------------------------
~# samba-tool user add stduser
User 'stduser' created successfully

~# samba-tool group add stdgroup
Added group stdgroup

~# samba-tool group addmembers stdgroup stduser
Added members to group stdgroup
-------------------------------

2) Get the group sid, and change the user's primaryGroupID with the dn prefixes in lower case :
-------------------------------
~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=stduser)' cn
primaryGroupID memberOf
dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
cn: stduser
primaryGroupID: 513
memberOf: CN=stdgroup,CN=Users,DC=my,DC=example,DC=com

~# wbinfo --name-to-sid=stdgroup
S-1-5-21-1691533938-518786298-626738373-3385 SID_DOM_GROUP (2)

~# cat /tmp/chggrp.ldif
dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
changetype: modify
replace: primarygroupid
primarygroupid: 3385

~# ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/chggrp.ldif
Modified 1 records successfully
-------------------------------

3) Now there are errors in the ldb base ! The group membership is one time written with lower case prefixes and one time with upper case prefixes :
-------------------------------
~# samba-tool group listmembers "Domain Users" | grep stduser
stduser

~# samba-tool dbcheck | grep stduser
ERROR: incorrect DN string component for member in object CN=Domain
Users,CN=Users,DC=my,DC=example,DC=com -
<GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com
ERROR: orphaned backlink attribute 'memberOf' in
CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in
CN=Domain Users,CN=Users,DC=my,DC=example,DC=com
-------------------------------

!! If the dn prefixes are written in upper case like below, it's works !!
-------------------------------
~# cat /tmp/chggrp2.ldif
dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
changetype: modify
replace: primarygroupid
primarygroupid: 3385
-------------------------------

The problem occur when the primaryGroupID is changed and when the "memberOf" attribute need to be added. The case is not checked.

Thanks !
Comment 1 PELLEGRIN Baptiste 2014-10-13 12:33:20 UTC
Finally, after some investigations, the problem is not resolved when the CN is well written !

1) In the first case (prefixes in lower case)

dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
changetype: modify
replace: primarygroupid
primarygroupid: 3385

The database is corrupted and I cannot remove the user from the previous group. So the I cannot repair the database without dbcheck --fix :

-------------------------------
~# samba-tool group removemembers "Domain Users" stduser
Removed members from group Domain Users

~# samba-tool group listmembers "Domain Users" | grep stduser
stduser

~# samba-tool dbcheck | grep stduser
ERROR: incorrect DN string component for member in object CN=Domain Users,CN=Users,DC=my,DC=example,DC=com - <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com
ERROR: orphaned backlink attribute 'memberOf' in CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in CN=Domain Users,CN=Users,DC=my,DC=example,DC=com
-------------------------------

2) In the second case (prefixes in upper case) :

dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
changetype: modify
replace: primarygroupid
primarygroupid: 3385

The database is still corrupted ! But I can remove the user from the previous group. So I can repair the database removing and adding again the user from the previous group.

-------------------------------
~# samba-tool dbcheck | grep stduser
ERROR: incorrect DN string component for member in object CN=Domain Users,CN=Users,DC=my,DC=example,DC=com - <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,CN=Users,DC=my,DC=example,DC=com
ERROR: orphaned backlink attribute 'memberOf' in CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in CN=Domain Users,CN=Users,DC=my,DC=example,DC=com

~# samba-tool group removemembers "Domain Users" stduser
Removed members from group Domain Users

~# samba-tool group listmembers "Domain Users" | grep stduser

~# samba-tool dbcheck | grep stduser

-------------------------------

I don't understand why samba say that the DN string is incorrect !

Baptiste.
Comment 2 PELLEGRIN Baptiste 2014-10-13 16:51:44 UTC
Here the correction made by ldbcheck. Samba want to add the SID of the user in the "member" attribute of the group :

-------------------------------
ERROR: incorrect DN string component for member in object CN=Domain
Users,CN=Users,DC=my,DC=example,DC=com -

<GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;CN=stduser,CN=Users,DC=my,DC=example,DC=com

Change DN to

<GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;<SID=S-1-5-21-1691533938-518786298-626738373-1217>;CN=stduser,CN=Users,DC=my,DC=example,DC=com


? [y/N/all/none]
-------------------------------

Here the diffence between a normal "member" attibute (with samba-tool addmembers) and a corrupted (by changing primaryGroupID) :

-------------------------------
~# ldbsearch  --extended-dn -H /usr/local/samba/private/sam.ldb '(cn=Domain Users)' member

member: <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;CN=stduser,CN=Users,DC=my,DC=example,DC=com

~# ldbsearch  --extended-dn -H /usr/local/samba/private/sam.ldb '(cn=goodgroup)' member

member: <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;<SID=S-1-5-21-1691533938-518786298-626738373-1217>;CN=stduser,CN=Users,DC=my,DC=example,DC=com
-------------------------------

Baptiste.
Comment 3 Karolin Seeger 2014-11-27 10:59:42 UTC
Is this a showstopper for 4.2.0?
Comment 4 Stefan Metzmacher 2014-11-29 10:11:42 UTC
This is not a blocker for 4.2.0, it's no regression compared to 4.1