Bug 361 - add user to globalgroup fails with ldap backend
Summary: add user to globalgroup fails with ldap backend
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.0preX
Hardware: All Linux
: P3 normal
Target Milestone: 3.0.1
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL:
Keywords:
Depends on:
Blocks: 827
  Show dependency treegraph
 
Reported: 2003-08-27 16:39 UTC by Christian A. Moser
Modified: 2005-11-14 09:27 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian A. Moser 2003-08-27 16:39:15 UTC 
i've discoverd a bug/strange behavior related to the ldap backend and the group
management code.

when i try to add an user to a global group (using the windows user manager for
domains), it always fails with "group cannot be found". if i do the same, but
alter in the same dialog the group description field, it succeeds!

so, after some tracing (using log level = passdb:5), i've discovered that the
only difference in the logs between the two cases are the lines:

FAIL:
[2003/08/27 23:52:42, 4] passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2008)
  mods is empty: nothing to do

SUCCEES:
[2003/08/27 23:52:57, 2] passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2025)
  successfully modified group 6400 in LDAP

what isnt astonishing in the second case, because i've altered the group
description (but in the first case, i haven't altered the group information).

when i now look at the code line mentioned in the log (passdb/pdb_ldap.c:2008),
i find the debugprint statement and an NT_STATUS_UNSUCCESSFUL return code. so if
i the change the return code for testing to NT_STATUS_OK and recompile the code.
 it seems so that all is functioning properly; i can add the user to the group
without any error.

i also discovered the same behavior when i try to add a new global group without
specifing a group description (the same error message appears). but with the
patched return code, it also seems to function properly.

i am using:

Samba 3.0.0rc1 (using --prefix=/usr/local/samba --without-pam --with-smbmount
--with-libiconv=/usr/local --with-ldap)
Openldap 2.1.22
nss_ldap-207
   only the unix accounts/groups used by samba are stored in the ldap directory,
but they can be found by samba/the system properly
kernel 2.4.20
an updated slackware 7.1

i also tested the behavior against various system setups and permissions to
except  configuration problems.

------------------ MY SMB.CONF -----------------
[global]
        unix charset = ISO8859-15
        workgroup = SOMEDOMORG
        server string = SOMESERVER
        allow trusted domains = No
        passdb backend = ldapsam:ldap://some.server.org
        guest account = smbNouser
        passwd program = /usr/bin/passwd
        restrict anonymous = 1
        client lanman auth = No
        client plaintext auth = No
        log level = 1
        log file = /usr/local/samba/var/log/log.%m
        name resolve order = host wins bcast lmhosts
        time server = Yes
        max smbd processes = 100
        socket options = IPTOS_LOWDELAY TCP_NODELAY
        add user script = /usr/local/samba/scripts/ldap_addsambauser.sh %u 5300 5600
        delete user script = /usr/local/samba/scripts/ldap_deleteuser.sh %u
        add group script = /usr/local/samba/scripts/ldap_addgroup.sh '%g' 5200
        delete group script = /usr/local/samba/scripts/ldap_deletegroup.sh '%g'
        add user to group script =
/usr/local/samba/scripts/ldap_addusertogroup.sh %u '%g'
        delete user from group script =
/usr/local/samba/scripts/ldap_removeuserfromgroup.sh %u '%g'
        set primary group script =
/usr/local/samba/scripts/ldap_setprimarygroup.sh %u '%g'
        add machine script = /usr/local/samba/scripts/ldap_addtrustuser.sh %u
5000 5000
        logon path = \\%N\profiles\%U\.winprofile
        logon drive = z:
        logon home = \\%N\profiles\%U
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap suffix = dc=some,dc=domain,dc=org
        ldap machine suffix = ou=computers,dc=some,dc=domain,dc=org
        ldap user suffix = ou=users,dc=some,dc=domain,dc=org
        ldap group suffix = ou=groups,dc=some,dc=domain,dc=org
        ldap idmap suffix = dc=some,dc=domain,dc=org
        ldap admin dn = cn=root,dc=some,dc=domain,dc=org
        ldap ssl = start tls
        ldap trust ids = Yes
        ldap delete dn = Yes
        host msdfs = Yes
        idmap uid = 5650-5999
        idmap gid = 5650-5999
        template primary group = 
        template homedir = /storage/samba/profiles/%U
        valid users = @smbGuests, @smbAdmins, @smbUsers, @smbDomAdm, @smbDomUsr,
@smbDomGst
        create mask = 0755
        hosts allow = 10.0.1.
        print command = lpr -l -r -P%p %s
        hide special files = Yes
        map system = Yes
        map hidden = Yes
        strict locking = No
        dos filemode = Yes
Comment 1 Gerald (Jerry) Carter (dead mail address) 2003-11-28 04:41:36 UTC 
should be fixed in latest SAMBA_3_0 cvs
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:06:21 UTC 
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:23:55 UTC 
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:27:57 UTC 
database cleanup