Created attachment 17232 [details] screenshot from windows when trying to delete a group Dear samba community, At IUT Orsay (component of Paris Saclay University), we used samba4 (shipped from Debian Bullseye : Version: 2:4.13.13+dfsg-1~deb11u3) for years. Since a couple of month, we have a strange behavior with some AD groups that can not be deleted. We tried obviously with Windows utilities, samba-tool and we tried to browse LDAP structure with a java client (LDAP Browser). Nothing seems to work. You will find 2 screenshots and our smb.conf file : - 01_ad_group_delete.png : a screen form windows, when trying to delete a group. - 02_ad_group_read_entry_from_ldap_browser : a screen from LDAP browser client. When using samba-tool : # sudo samba-tool group show DU\ FLE\ pour\ etud.\ etrangers\ prerecrutement\ \ a\ Paris\ 11 ERROR: Unable to find group "DU FLE pour etud. etrangers prerecrutement a Paris 11" Users ou groups are created from a web interface, using LDAP information from University Paris Saclay. In september, the new University LDAP was a mess with group ID, maybe the problem is coming from there. We tried the dbcheck options : # sudo samba-tool dbcheck --cross-ncs --fix Checking 8681 objects Checked 8681 objects (0 errors) Honestly, I don't know where to start to find some solutions. Some groups can be deleted, some can not. Can you give us some leads ? If you need any informations don't hesitate. Thanks a lot. Best regards.
Created attachment 17233 [details] screenshot from LDAP client
Created attachment 17234 [details] samba configuration file
(In reply to Benoît Tonnerre from comment #2) Please go here: https://apt.van-belle.nl/ Add Louis's repo and use the latest Samba version: 4.15.6 I can create your groupname (using samba-tool), show and delete it using that version.
attaching a screenshot in cases, where bytes and characters may be important is not ideal. You should give plain text information instead. If my eyes don't fool me, I see two spaces in that group name that you have there in that screenshot. In that case, this bug is probably a duplicate of bug 14902.
Sorry for the screenshots. The group name is "DU FLE pour etud. etrangers prerecrutement a Paris 11" and there is two spaces. I tested an other group, and indeed, there is two spaces two : "DUT Informatique 1ere Annee". I will try samba 4.15.6 proposed by Rowland tomorrow. Thank you very much for your advice and your help.
Created attachment 17236 [details] samba tool dbcheck reindex log
Hi, I just upgraded from 4.13.13 to 4.16.5 (from apt.van-belle.nl) and unfortunately, the problems seems to be still there. - samba-tool dbcheck --cross-ncs --fix : still report 0 error. - I checked bug report 14902 and I tried sudo samba-tool dbcheck --reindex and I got many errors (duplicate attribute value / duplicate objectGUID). I attach the result of this command. What do you think, I should do ? Thanks for your advice and your help. Best regards.
Hi, I think I managed to solve the issue somehow. It seems that only two groups were the culprits. "DU FLE pour etud. etrangers prerecrutement a Paris 11" and "LP Materiaux metrologie et instrumentation (GLP2MI-900)" I used samba-tool to recreate the groups (I don't understand why I was able to recreate the exact same group name in the same OU) : # samba-tool group add "LP Materiaux metrologie et instrumentation (GLP2MI-900)" --groupou=OU=groups # samba-tool group add "DU FLE pour etud. etrangers prerecrutement a Paris 11" --groupou=OU=groups At this step, ldbedit showed two reccords for the same group name (I used : ldbedit -e vim -H /var/lib/samba/private/sam.ldb '(cn=DU FLE*)') After that i deleted the groups : # samba-tool group delete "LP Materiaux metrologie et instrumentation (GLP2MI-900)" # samba-tool group delete "DU FLE pour etud. etrangers prerecrutement a Paris 11" Now, samba-tool dbcheck --reindex is working and says "completed re-index OK". I can access my group list members's with Windows and with samba-tool for thoses specific groups.
This very much looks like a duplicate as suggested in comment #4 *** This bug has been marked as a duplicate of bug 14902 ***