The Samba-Bugzilla – Bug 361
add user to globalgroup fails with ldap backend
Last modified: 2005-11-14 09:27:57 UTC
i've discoverd a bug/strange behavior related to the ldap backend and the group
when i try to add an user to a global group (using the windows user manager for
domains), it always fails with "group cannot be found". if i do the same, but
alter in the same dialog the group description field, it succeeds!
so, after some tracing (using log level = passdb:5), i've discovered that the
only difference in the logs between the two cases are the lines:
[2003/08/27 23:52:42, 4] passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2008)
mods is empty: nothing to do
[2003/08/27 23:52:57, 2] passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2025)
successfully modified group 6400 in LDAP
what isnt astonishing in the second case, because i've altered the group
description (but in the first case, i haven't altered the group information).
when i now look at the code line mentioned in the log (passdb/pdb_ldap.c:2008),
i find the debugprint statement and an NT_STATUS_UNSUCCESSFUL return code. so if
i the change the return code for testing to NT_STATUS_OK and recompile the code.
it seems so that all is functioning properly; i can add the user to the group
without any error.
i also discovered the same behavior when i try to add a new global group without
specifing a group description (the same error message appears). but with the
patched return code, it also seems to function properly.
i am using:
Samba 3.0.0rc1 (using --prefix=/usr/local/samba --without-pam --with-smbmount
only the unix accounts/groups used by samba are stored in the ldap directory,
but they can be found by samba/the system properly
an updated slackware 7.1
i also tested the behavior against various system setups and permissions to
except configuration problems.
------------------ MY SMB.CONF -----------------
unix charset = ISO8859-15
workgroup = SOMEDOMORG
server string = SOMESERVER
allow trusted domains = No
passdb backend = ldapsam:ldap://some.server.org
guest account = smbNouser
passwd program = /usr/bin/passwd
restrict anonymous = 1
client lanman auth = No
client plaintext auth = No
log level = 1
log file = /usr/local/samba/var/log/log.%m
name resolve order = host wins bcast lmhosts
time server = Yes
max smbd processes = 100
socket options = IPTOS_LOWDELAY TCP_NODELAY
add user script = /usr/local/samba/scripts/ldap_addsambauser.sh %u 5300 5600
delete user script = /usr/local/samba/scripts/ldap_deleteuser.sh %u
add group script = /usr/local/samba/scripts/ldap_addgroup.sh '%g' 5200
delete group script = /usr/local/samba/scripts/ldap_deletegroup.sh '%g'
add user to group script =
/usr/local/samba/scripts/ldap_addusertogroup.sh %u '%g'
delete user from group script =
/usr/local/samba/scripts/ldap_removeuserfromgroup.sh %u '%g'
set primary group script =
/usr/local/samba/scripts/ldap_setprimarygroup.sh %u '%g'
add machine script = /usr/local/samba/scripts/ldap_addtrustuser.sh %u
logon path = \\%N\profiles\%U\.winprofile
logon drive = z:
logon home = \\%N\profiles\%U
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap suffix = dc=some,dc=domain,dc=org
ldap machine suffix = ou=computers,dc=some,dc=domain,dc=org
ldap user suffix = ou=users,dc=some,dc=domain,dc=org
ldap group suffix = ou=groups,dc=some,dc=domain,dc=org
ldap idmap suffix = dc=some,dc=domain,dc=org
ldap admin dn = cn=root,dc=some,dc=domain,dc=org
ldap ssl = start tls
ldap trust ids = Yes
ldap delete dn = Yes
host msdfs = Yes
idmap uid = 5650-5999
idmap gid = 5650-5999
template primary group =
template homedir = /storage/samba/profiles/%U
valid users = @smbGuests, @smbAdmins, @smbUsers, @smbDomAdm, @smbDomUsr,
create mask = 0755
hosts allow = 10.0.1.
print command = lpr -l -r -P%p %s
hide special files = Yes
map system = Yes
map hidden = Yes
strict locking = No
dos filemode = Yes
should be fixed in latest SAMBA_3_0 cvs
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.