Bug 4845 - Setting the groups of new AD objects
Setting the groups of new AD objects
Status: RESOLVED INVALID
Product: Samba 4.0
Classification: Unclassified
Component: Other
unspecified
All All
: P3 normal
: ---
Assigned To: Andrew Bartlett
Andrew Bartlett
:
: 4909 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-31 04:08 UTC by Matthias Dieter Wallnöfer
Modified: 2008-12-25 17:12 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Dieter Wallnöfer 2007-07-31 04:08:29 UTC
- When I add a user account, it isn't added to "Domain Users" (at least I can't
notice a change in the "Domain Users" object "members" attribute) - User Manager does this right
- But also new workstations (also when joining) and new domain controllers should also be added automatically to "Domain Computers" and "Domain Controllers" using the "member" attribute. In my opinion it isn't sufficient to set only the "primaryGroupID".
(from bug 4815)
Comment 1 Matthias Dieter Wallnöfer 2007-11-04 13:25:27 UTC
Have you checked this, Andrew?
Comment 2 Andrew Bartlett 2007-11-04 16:24:09 UTC
Interestingly, this does not occur over LDAP (for computers or users). 

This will need a test that cross-references LDAP with RPC. 
Comment 3 Andrew Bartlett 2008-01-07 15:07:22 UTC
*** Bug 4909 has been marked as a duplicate of this bug. ***
Comment 4 Matthias Dieter Wallnöfer 2008-03-13 12:59:59 UTC
Update: This doesn't seem to work yet:

- New workstations (also when joining) and new domain controllers should also be added automatically to "Domain Computers" and "Domain Controllers" using the "member" attribute. In my opinion it isn't sufficient to set only the "primaryGroupID".
- When adding a user account using User Manager, there is set the "memberOf" attribute to "Domain Users" of the new user. This shouldn't be necessary anymore. When I open the "Members" tab in the properties in ADUC, I notice "Domain Users" twice.
Comment 5 Matthias Dieter Wallnöfer 2008-08-02 08:27:02 UTC
Andrew, this isn't solved yet. Here should we correct our behaviour.
Comment 6 Matthias Dieter Wallnöfer 2008-12-25 16:34:11 UTC
According to http://msdn.microsoft.com/en-us/library/ms677943(VS.85).aspx I've been wrong here until now (a user generally hasn't to be inserted as "member" in his primary group). So the behaviour of "User Manager for Domains" (which does that) is incorrect.
Comment 7 Matthias Dieter Wallnöfer 2008-12-25 17:12:10 UTC
According to a wireshark trace the "User Manager for Domains" adds the user to his primary group when he doesn't find the primary group membership through http://msdn.microsoft.com/en-us/library/cc245815(PROT.10).aspx (SamrGetGroupsForUser). If I understood it right, the latter call doesn't return the primary group (only "member" group memberships).
So we have here a fault in the "User Manager" and not in SAMBA. Closing it as INVALID.