Created attachment 14171 [details] reproduce-incorrect-DN-SID-component-for-member.sh The attached script triggers an inconsistency in extended DN of a member attribute in the sam.ldb backend. The script simply creates a user and then modifies the primaryGroupID to something other than 513. After that samba-tool dbcheck shows this: ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=some,DC=domain - <GUID=7eb7e9a9-1cf5-4d34-915c-662897d7c660>;<RMD_ADDTIME=131643299170000000>;<RMD_CHANGETIME=131643299170000000>;<RMD_FLAGS=0>;<RMD_INVOCID=ff8235ec-3395-407e-ad8b-61e725384ce0>;<RMD_LOCAL_USN=4079>;<RMD_ORIGINATING_USN=4079>;<RMD_VERSION=0>;CN=testuser1,CN=Users,DC=some,DC=domain The <SID=...>; part is missing here. From the ldbmodify --trace it looks like extended_dn_modify from source4/dsdb/samdb/ldb_modules/extended_dn_store.c could be a point of interest, but I haven't fully understood the code path yet. Any ideas where I should dig into or how to approach this?
Ok, I see that during samldb_modify the samldb_prim_group_change function in source4/dsdb/samdb/ldb_modules/samldb.c adds the new "member" attribute to the prev_prim_group_dn. But then neither the linked_attributes_modify function in the linked_attributes module nor the extended_dn_modify in extended_dn_store trigger adding the <SID=...>; part. On the other hand the "GUID" part of the extended member dn gets added. Hmm, I'm giving up for today. Usually the resulting inconsistency can be fixed easily with dbcheck --fix but I've seen cases where dbcheck --fix runs into a secondary error while fixing that attribute and aborts the transaction. I'll add a script if I manage to reproduce that too.
Created attachment 14177 [details] reproduce-unfixable-incorrect-DN-SID-component-for-member.sh Ah, it's easy to reproduce the "unfixable" case just by changing the primaryGroupID back to the original value. Script attached.
So this is a module ordering issue, as the request goes down the stack it never gains the extra SID etc because extended_dn_store is above samldb.
Created attachment 14549 [details] Patches for v4-9-test
Created attachment 14550 [details] Patches for v4-8-test
G'Day Karolin, Please pick for 4.8.next and 4.9.next Thanks!
(In reply to Andrew Bartlett from comment #6) Hi Andrew, pushed to autobuild-v4-{9,8}-test.
(In reply to Karolin Seeger from comment #7) Pushed to both branches. Closing out bug report. Thanks!