Created attachment 17232 [details]
screenshot from windows when trying to delete a group
Dear samba community,
At IUT Orsay (component of Paris Saclay University), we used samba4 (shipped from Debian Bullseye : Version: 2:4.13.13+dfsg-1~deb11u3) for years.
Since a couple of month, we have a strange behavior with some AD groups that can not be deleted.
We tried obviously with Windows utilities, samba-tool and we tried to browse LDAP structure with a java client (LDAP Browser).
Nothing seems to work.
You will find 2 screenshots and our smb.conf file :
- 01_ad_group_delete.png : a screen form windows, when trying to delete a group.
- 02_ad_group_read_entry_from_ldap_browser : a screen from LDAP browser client.
When using samba-tool :
# sudo samba-tool group show DU\ FLE\ pour\ etud.\ etrangers\ prerecrutement\ \ a\ Paris\ 11
ERROR: Unable to find group "DU FLE pour etud. etrangers prerecrutement a Paris 11"
Users ou groups are created from a web interface, using LDAP information from University Paris Saclay.
In september, the new University LDAP was a mess with group ID, maybe the problem is coming from there.
We tried the dbcheck options :
# sudo samba-tool dbcheck --cross-ncs --fix
Checking 8681 objects
Checked 8681 objects (0 errors)
Honestly, I don't know where to start to find some solutions.
Some groups can be deleted, some can not.
Can you give us some leads ?
If you need any informations don't hesitate.
Thanks a lot.
Created attachment 17233 [details]
screenshot from LDAP client
Created attachment 17234 [details]
samba configuration file
(In reply to Benoît Tonnerre from comment #2)
Please go here: https://apt.van-belle.nl/
Add Louis's repo and use the latest Samba version: 4.15.6
I can create your groupname (using samba-tool), show and delete it using that version.
attaching a screenshot in cases, where bytes and characters may be important is not ideal. You should give plain text information instead. If my eyes don't fool me, I see two spaces in that group name that you have there in that screenshot. In that case, this bug is probably a duplicate of bug 14902.
Sorry for the screenshots.
The group name is "DU FLE pour etud. etrangers prerecrutement a Paris 11" and there is two spaces.
I tested an other group, and indeed, there is two spaces two : "DUT Informatique 1ere Annee".
I will try samba 4.15.6 proposed by Rowland tomorrow.
Thank you very much for your advice and your help.
Created attachment 17236 [details]
samba tool dbcheck reindex log
I just upgraded from 4.13.13 to 4.16.5 (from apt.van-belle.nl) and unfortunately, the problems seems to be still there.
- samba-tool dbcheck --cross-ncs --fix : still report 0 error.
- I checked bug report 14902 and I tried sudo samba-tool dbcheck --reindex and I got many errors (duplicate attribute value / duplicate objectGUID).
I attach the result of this command.
What do you think, I should do ?
Thanks for your advice and your help.
I think I managed to solve the issue somehow.
It seems that only two groups were the culprits.
"DU FLE pour etud. etrangers prerecrutement a Paris 11" and "LP Materiaux metrologie et instrumentation (GLP2MI-900)"
I used samba-tool to recreate the groups (I don't understand why I was able to recreate the exact same group name in the same OU) :
# samba-tool group add "LP Materiaux metrologie et instrumentation (GLP2MI-900)" --groupou=OU=groups
# samba-tool group add "DU FLE pour etud. etrangers prerecrutement a Paris 11" --groupou=OU=groups
At this step, ldbedit showed two reccords for the same group name (I used : ldbedit -e vim -H /var/lib/samba/private/sam.ldb '(cn=DU FLE*)')
After that i deleted the groups :
# samba-tool group delete "LP Materiaux metrologie et instrumentation (GLP2MI-900)"
# samba-tool group delete "DU FLE pour etud. etrangers prerecrutement a Paris 11"
Now, samba-tool dbcheck --reindex is working and says "completed re-index OK".
I can access my group list members's with Windows and with samba-tool for thoses specific groups.
This very much looks like a duplicate as suggested in comment #4
*** This bug has been marked as a duplicate of bug 14902 ***