i've discoverd a bug/strange behavior related to the ldap backend and the group management code. when i try to add an user to a global group (using the windows user manager for domains), it always fails with "group cannot be found". if i do the same, but alter in the same dialog the group description field, it succeeds! so, after some tracing (using log level = passdb:5), i've discovered that the only difference in the logs between the two cases are the lines: FAIL: [2003/08/27 23:52:42, 4] passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2008) mods is empty: nothing to do SUCCEES: [2003/08/27 23:52:57, 2] passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2025) successfully modified group 6400 in LDAP what isnt astonishing in the second case, because i've altered the group description (but in the first case, i haven't altered the group information). when i now look at the code line mentioned in the log (passdb/pdb_ldap.c:2008), i find the debugprint statement and an NT_STATUS_UNSUCCESSFUL return code. so if i the change the return code for testing to NT_STATUS_OK and recompile the code. it seems so that all is functioning properly; i can add the user to the group without any error. i also discovered the same behavior when i try to add a new global group without specifing a group description (the same error message appears). but with the patched return code, it also seems to function properly. i am using: Samba 3.0.0rc1 (using --prefix=/usr/local/samba --without-pam --with-smbmount --with-libiconv=/usr/local --with-ldap) Openldap 2.1.22 nss_ldap-207 only the unix accounts/groups used by samba are stored in the ldap directory, but they can be found by samba/the system properly kernel 2.4.20 an updated slackware 7.1 i also tested the behavior against various system setups and permissions to except configuration problems. ------------------ MY SMB.CONF ----------------- [global] unix charset = ISO8859-15 workgroup = SOMEDOMORG server string = SOMESERVER allow trusted domains = No passdb backend = ldapsam:ldap://some.server.org guest account = smbNouser passwd program = /usr/bin/passwd restrict anonymous = 1 client lanman auth = No client plaintext auth = No log level = 1 log file = /usr/local/samba/var/log/log.%m name resolve order = host wins bcast lmhosts time server = Yes max smbd processes = 100 socket options = IPTOS_LOWDELAY TCP_NODELAY add user script = /usr/local/samba/scripts/ldap_addsambauser.sh %u 5300 5600 delete user script = /usr/local/samba/scripts/ldap_deleteuser.sh %u add group script = /usr/local/samba/scripts/ldap_addgroup.sh '%g' 5200 delete group script = /usr/local/samba/scripts/ldap_deletegroup.sh '%g' add user to group script = /usr/local/samba/scripts/ldap_addusertogroup.sh %u '%g' delete user from group script = /usr/local/samba/scripts/ldap_removeuserfromgroup.sh %u '%g' set primary group script = /usr/local/samba/scripts/ldap_setprimarygroup.sh %u '%g' add machine script = /usr/local/samba/scripts/ldap_addtrustuser.sh %u 5000 5000 logon path = \\%N\profiles\%U\.winprofile logon drive = z: logon home = \\%N\profiles\%U domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap suffix = dc=some,dc=domain,dc=org ldap machine suffix = ou=computers,dc=some,dc=domain,dc=org ldap user suffix = ou=users,dc=some,dc=domain,dc=org ldap group suffix = ou=groups,dc=some,dc=domain,dc=org ldap idmap suffix = dc=some,dc=domain,dc=org ldap admin dn = cn=root,dc=some,dc=domain,dc=org ldap ssl = start tls ldap trust ids = Yes ldap delete dn = Yes host msdfs = Yes idmap uid = 5650-5999 idmap gid = 5650-5999 template primary group = template homedir = /storage/samba/profiles/%U valid users = @smbGuests, @smbAdmins, @smbUsers, @smbDomAdm, @smbDomUsr, @smbDomGst create mask = 0755 hosts allow = 10.0.1. print command = lpr -l -r -P%p %s hide special files = Yes map system = Yes map hidden = Yes strict locking = No dos filemode = Yes
should be fixed in latest SAMBA_3_0 cvs
originally reported against one of the 3.0.0rc[1-4] releases. Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
database cleanup