The Samba-Bugzilla – Bug 13095
Broken linked attribute handling
Last modified: 2017-11-09 09:41:17 UTC
Created attachment 13715 [details]
user 3 times in group
Since 4.7.0 there is an issue with the linked attribute handling.
This allows for example to add a user multiple times to one group. Editing memberships leads to inconsistent memberships within the AD with multiple DCs.
Created attachment 13716 [details]
user 1 time removed from group
Created attachment 13717 [details]
This is reproducible by using the ldbedit tool. Open a group object, just copy the "member" attribute and insert it multiple times.
Versions prior 4.7.0 block this change with the following message:
Failed to commit transaction: Failed to add backlink from CN=g_grouptest1,CN=Users,DC=DOM,DC=local to CN=u_grouptest1,CN=Users,DC=DOM,DC=local - attribute 'memberOf': value #0 on 'CN=u_grouptest1,CN=Users,DC=DOM,DC=local' already exists
This appears to only trigger in the replace case (which is triggered by ldbedit). A standard modify with the member add triggers an explicit check (which it did not used to have). The replace case doesn't appear to have this check.
Created attachment 13721 [details]
patch to test and fix the MOD_REPLACE case
I think this should fix the problem.
Looking into this sparked related patches which you can see in
but I think these two are enough to fix the bug and should be backported.
(In reply to Douglas Bagnall from comment #5)
Thank you Douglas!
I confirm that the patch is working. I've verified this by using the patch on v4-7-test with ldbedit and ldbmodify using the replace command.
Created attachment 13729 [details]
patch for 4.7.1
The previously attached patches cherry-picked from master onto origin/v4-7-test.
Comment on attachment 13729 [details]
patch for 4.7.1
Thanks. Please pick for 4.7.next
(In reply to Andrew Bartlett from comment #8)
Pushed to autobuild-v4-7-test.
Pushed to v4-7-test.
Closing out bug report.
Keep the bug open for the dbcheck fixes
Users who got impacted by this bug in 4.7.0 has now an inconsistent database and replication errors in 4.7.1.
I'm unable to fix it using dbcheck neither manually by removing members from the group and ldbedit/ldbmodify
"objectclass_attrs: attribute 'memberOf' on entry 'CN=test user,OU=CPAS,OU=MUSERS,DC=contoso,DC=com" must not be modified directly, it is a linked attribute"
(In reply to Maxence Sartiaux from comment #12)
http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/abartlet-dbcheck-links-2017-11 has fixes for dbcheck.
Hopefully they will be ready for 4.7.2