Hi samba team ! I have found a very strange bug when changing my user's primaryGroupID with ldif files. The bug is very easy to reproduce : 1) Create a user, create a group, add the user to the group ------------------------------- ~# samba-tool user add stduser User 'stduser' created successfully ~# samba-tool group add stdgroup Added group stdgroup ~# samba-tool group addmembers stdgroup stduser Added members to group stdgroup ------------------------------- 2) Get the group sid, and change the user's primaryGroupID with the dn prefixes in lower case : ------------------------------- ~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=stduser)' cn primaryGroupID memberOf dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com cn: stduser primaryGroupID: 513 memberOf: CN=stdgroup,CN=Users,DC=my,DC=example,DC=com ~# wbinfo --name-to-sid=stdgroup S-1-5-21-1691533938-518786298-626738373-3385 SID_DOM_GROUP (2) ~# cat /tmp/chggrp.ldif dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com changetype: modify replace: primarygroupid primarygroupid: 3385 ~# ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/chggrp.ldif Modified 1 records successfully ------------------------------- 3) Now there are errors in the ldb base ! The group membership is one time written with lower case prefixes and one time with upper case prefixes : ------------------------------- ~# samba-tool group listmembers "Domain Users" | grep stduser stduser ~# samba-tool dbcheck | grep stduser ERROR: incorrect DN string component for member in object CN=Domain Users,CN=Users,DC=my,DC=example,DC=com - <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com ERROR: orphaned backlink attribute 'memberOf' in CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in CN=Domain Users,CN=Users,DC=my,DC=example,DC=com ------------------------------- !! If the dn prefixes are written in upper case like below, it's works !! ------------------------------- ~# cat /tmp/chggrp2.ldif dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com changetype: modify replace: primarygroupid primarygroupid: 3385 ------------------------------- The problem occur when the primaryGroupID is changed and when the "memberOf" attribute need to be added. The case is not checked. Thanks !
Finally, after some investigations, the problem is not resolved when the CN is well written ! 1) In the first case (prefixes in lower case) dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com changetype: modify replace: primarygroupid primarygroupid: 3385 The database is corrupted and I cannot remove the user from the previous group. So the I cannot repair the database without dbcheck --fix : ------------------------------- ~# samba-tool group removemembers "Domain Users" stduser Removed members from group Domain Users ~# samba-tool group listmembers "Domain Users" | grep stduser stduser ~# samba-tool dbcheck | grep stduser ERROR: incorrect DN string component for member in object CN=Domain Users,CN=Users,DC=my,DC=example,DC=com - <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com ERROR: orphaned backlink attribute 'memberOf' in CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in CN=Domain Users,CN=Users,DC=my,DC=example,DC=com ------------------------------- 2) In the second case (prefixes in upper case) : dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com changetype: modify replace: primarygroupid primarygroupid: 3385 The database is still corrupted ! But I can remove the user from the previous group. So I can repair the database removing and adding again the user from the previous group. ------------------------------- ~# samba-tool dbcheck | grep stduser ERROR: incorrect DN string component for member in object CN=Domain Users,CN=Users,DC=my,DC=example,DC=com - <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,CN=Users,DC=my,DC=example,DC=com ERROR: orphaned backlink attribute 'memberOf' in CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in CN=Domain Users,CN=Users,DC=my,DC=example,DC=com ~# samba-tool group removemembers "Domain Users" stduser Removed members from group Domain Users ~# samba-tool group listmembers "Domain Users" | grep stduser ~# samba-tool dbcheck | grep stduser ------------------------------- I don't understand why samba say that the DN string is incorrect ! Baptiste.
Here the correction made by ldbcheck. Samba want to add the SID of the user in the "member" attribute of the group : ------------------------------- ERROR: incorrect DN string component for member in object CN=Domain Users,CN=Users,DC=my,DC=example,DC=com - <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;CN=stduser,CN=Users,DC=my,DC=example,DC=com Change DN to <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;<SID=S-1-5-21-1691533938-518786298-626738373-1217>;CN=stduser,CN=Users,DC=my,DC=example,DC=com ? [y/N/all/none] ------------------------------- Here the diffence between a normal "member" attibute (with samba-tool addmembers) and a corrupted (by changing primaryGroupID) : ------------------------------- ~# ldbsearch --extended-dn -H /usr/local/samba/private/sam.ldb '(cn=Domain Users)' member member: <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;CN=stduser,CN=Users,DC=my,DC=example,DC=com ~# ldbsearch --extended-dn -H /usr/local/samba/private/sam.ldb '(cn=goodgroup)' member member: <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;<SID=S-1-5-21-1691533938-518786298-626738373-1217>;CN=stduser,CN=Users,DC=my,DC=example,DC=com ------------------------------- Baptiste.
Is this a showstopper for 4.2.0?
This is not a blocker for 4.2.0, it's no regression compared to 4.1
Baptiste, Are you able to reproduce this with a recent version? I get "unwilling to perform" at the ldbmodify.