15029 – Can't delete some AD groups

Bug 15029 - Can't delete some AD groups

Summary: Can't delete some AD groups

Status:	RESOLVED DUPLICATE of bug 14902

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.13.13
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-03-22 12:55 UTC by Benoît Tonnerre
Modified:	2022-05-04 04:57 UTC (History)
CC List:	0 users

See Also:

Attachments
screenshot from windows when trying to delete a group (59.04 KB, image/png) 2022-03-22 12:55 UTC, Benoît Tonnerre	no flags	Details
screenshot from LDAP client (50.81 KB, image/png) 2022-03-22 12:56 UTC, Benoît Tonnerre	no flags	Details
samba configuration file (1.40 KB, text/plain) 2022-03-22 12:56 UTC, Benoît Tonnerre	no flags	Details
samba tool dbcheck reindex log (63.30 KB, text/plain) 2022-03-23 20:32 UTC, Benoît Tonnerre	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Benoît Tonnerre 2022-03-22 12:55:42 UTC

Created attachment 17232 [details]
screenshot from windows when trying to delete a group

Dear samba community, 

At IUT Orsay (component of Paris Saclay University), we used samba4 (shipped from Debian Bullseye : Version: 2:4.13.13+dfsg-1~deb11u3) for years.

Since a couple of month, we have a strange behavior with some AD groups that can not be deleted.

We tried obviously with Windows utilities, samba-tool and we tried to browse LDAP structure with a java client (LDAP Browser).
Nothing seems to work.

You will find 2 screenshots and our smb.conf file : 
- 01_ad_group_delete.png : a screen form windows, when trying to delete a group.
- 02_ad_group_read_entry_from_ldap_browser : a screen from LDAP browser client.

When using samba-tool : 

# sudo samba-tool group show DU\ FLE\ pour\ etud.\ etrangers\ prerecrutement\ \ a\ Paris\ 11
ERROR: Unable to find group "DU FLE pour etud. etrangers prerecrutement  a Paris 11"

Users ou groups are created from a web interface, using LDAP information from University Paris Saclay.
In september, the new University LDAP was a mess with group ID, maybe the problem is coming from there.

We tried the dbcheck options : 

# sudo samba-tool dbcheck --cross-ncs --fix
Checking 8681 objects
Checked 8681 objects (0 errors)

Honestly, I don't know where to start to find some solutions.
Some groups can be deleted, some can not.
Can you give us some leads ?

If you need any informations don't hesitate.

Thanks a lot.

Best regards.

Comment 1 Benoît Tonnerre 2022-03-22 12:56:37 UTC

Created attachment 17233 [details]
screenshot from LDAP client

Comment 2 Benoît Tonnerre 2022-03-22 12:56:58 UTC

Created attachment 17234 [details]
samba configuration file

Comment 3 Rowland Penny 2022-03-22 19:37:47 UTC

(In reply to Benoît Tonnerre from comment #2)
Please go here: https://apt.van-belle.nl/

Add Louis's repo and use the latest Samba version: 4.15.6
I can create your groupname (using samba-tool), show and delete it using that version.

Comment 4 Björn Jacke 2022-03-22 21:54:53 UTC

attaching a screenshot in cases, where bytes and characters may be important is not ideal. You should give plain text information instead. If my eyes don't fool me, I see two spaces in that group name that you have there in that screenshot. In that case, this bug is probably a duplicate of bug 14902.

Comment 5 Benoît Tonnerre 2022-03-22 22:15:23 UTC

Sorry for the screenshots.
The group name is "DU FLE pour etud. etrangers prerecrutement  a Paris 11" and there is two spaces.
I tested an other group, and indeed, there is two spaces two : "DUT  Informatique 1ere Annee".

I will try samba 4.15.6 proposed by Rowland tomorrow.

Thank you very much for your advice and your help.

Comment 6 Benoît Tonnerre 2022-03-23 20:32:26 UTC

Created attachment 17236 [details]
samba tool dbcheck reindex log

Comment 7 Benoît Tonnerre 2022-03-23 20:33:35 UTC

Hi, 

I just upgraded from 4.13.13 to 4.16.5 (from apt.van-belle.nl) and unfortunately, the problems seems to be still there.

- samba-tool dbcheck --cross-ncs --fix : still report 0 error.
- I checked bug report 14902 and I tried sudo samba-tool dbcheck --reindex and I got many errors (duplicate attribute value / duplicate objectGUID).
I attach the result of this command.

What do you think, I should do ?

Thanks for your advice and your help.

Best regards.

Comment 8 Benoît Tonnerre 2022-05-03 13:52:16 UTC

Hi, 

I think I managed to solve the issue somehow. 

It seems that only two groups were the culprits.

"DU FLE pour etud. etrangers prerecrutement  a Paris 11" and "LP Materiaux  metrologie et instrumentation (GLP2MI-900)"

I used samba-tool to recreate the groups (I don't understand why I was able to recreate the exact same group name in the same OU) : 

# samba-tool group add "LP Materiaux  metrologie et instrumentation (GLP2MI-900)" --groupou=OU=groups
# samba-tool group add "DU FLE pour etud. etrangers prerecrutement  a Paris 11" --groupou=OU=groups

At this step, ldbedit showed two reccords for the same group name (I used : ldbedit -e vim -H /var/lib/samba/private/sam.ldb '(cn=DU FLE*)')

After that i deleted the groups : 

# samba-tool group delete "LP Materiaux  metrologie et instrumentation (GLP2MI-900)"
# samba-tool group delete "DU FLE pour etud. etrangers prerecrutement  a Paris 11"

Now, samba-tool dbcheck --reindex is working and says "completed re-index OK".

I can access my group list members's with Windows and with samba-tool for thoses specific groups.

Comment 9 Andrew Bartlett 2022-05-04 04:57:41 UTC

This very much looks like a duplicate as suggested in comment #4

*** This bug has been marked as a duplicate of bug 14902 ***