If I have a group (cn=sirs,ou=examplegroups,dc=ad,dc=example,dc=org) with some members. I delete one of them:
./bin/pdbedit -x user
now whatever operation I perform on the group with LDAP commands with the dangling membership I receive:
ERROR - Error while modifying entry CN=sirs,OU=examplegroups,DC=ad,DC=example,DC=org in directory :javax.naming.NameNotFoundException: [LDAP: error code 32 - 00000525: specified dn doesn't exist at ../source4/dsdb/samdb/ldb_modules/extended_dn_store.c:163:extended_dn_handle_fpo_attr]; remaining name 'CN=sirs,OU=unimoregroups,DC=ad'
Group can not be handled any more through LDAP commands (ADUC works though).
The problem is twofold:
1) avoid a group is turned into invalid;
2) sanitize invalid groups (deleting them does not work, samba-tool dbcheck --repair neither).
Sorry, I tried again today and this time deleting the stale group solves the issue.