samba-tool group removemembers returns success even if it should fail if the primary group of the member to remove is also the group from which we try to remove the member from. Steps to Reproduce: Create a user using samba-tool (eg. samba-tool user add test01), that user will get the group "Domain Users" as it's primary group by default. Try to remove the user from the "Domain Users" group (eg. samba-tool group removemembers "Domain Users" test01) Expected Result: samba-tool should refuse to remove the user from it's primary group with an error message. Actual Result: samba-tool claims the user has been removed (eg. "Removed members from group Domain Users") but in fact it has not.
OK. It look like we don't even consider the primary group here. I guess we could check for that in the case where nothing has happened (i.e. in SamDB.add_remove_group_members() the group members don't overlap with the listed members, but the group and listed members do exist).
(In reply to Douglas Bagnall from comment #1) It is fairly easy: Get the users primaryGroupID, cat that onto the end of the domain SID and compare with the groups objectSid, if they match, print a message along the lines of 'sorry, you cannot do that'.