Bug 6466 - ADUC: Group membership not correctly displayed
ADUC: Group membership not correctly displayed
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: Tools
unspecified
x86 Linux
: P3 normal
: ---
Assigned To: Andrew Bartlett
Matthias Dieter Wallnöfer
:
Depends on:
Blocks: 6562 6600
  Show dependency treegraph
 
Reported: 2009-06-11 07:29 UTC by sassy.natan
Modified: 2009-08-12 04:33 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description sassy.natan 2009-06-11 07:29:26 UTC
When Creating a new user in Samba4 Via ADUC they are not being added auto to Domain Users.

U have to do it manunaly.

Using Debian Lenny AMD 64, Samba4 Pre-Alpha 8 OpenLdap 2.4.16
Comment 1 Matthias Dieter Wallnöfer 2009-06-13 13:05:08 UTC
I think that's the "member"/"memberOf" attributes issue. We'll have to wait until it's implemented correctly.
Comment 2 Matthieu Patou 2009-06-13 16:54:37 UTC
Don't worry, when I comes to checking rights for group Domain Users, group membership works.

I just dig into an email of tridge in 2005:
http://lists.samba.org/archive/samba-technical/2005-August/042541.html

And recheck against a samba4 and w2k3 server.
It appear that when browsing Domain Users in w2k3 and s4 they **look** the same.
But of course when using aduc then it's different, as w2k3 display correctly the users as member of the group.

I suppose that there is a subtle difference, the best is to trace this with wireshark in order to see what's going on ...
Comment 3 Matthieu Patou 2009-06-20 06:07:53 UTC
I've done and I found some informations.
At the begining missing display-specifier are blocking adcu to perform some request.

Then it turns out that adcu perform two kind of search for group membership:

* searching the whole subtree for object with attribute primaryGroupID=xxx and samAccountType < 805306369
* searching the group for attribute member

With XP against a recent (8 june 2009 changeset) samba4, ADCU is using xxx=0 which of course didn't return good result. (it should be 513 for instance for domain users group).

We could thought that it's a ADCU problem but as it's working agains w2K3 then it's defenitly that something returned by samba4 that is not exactly as w2k3 and it fools ADCU.
Comment 4 Matthieu Patou 2009-06-20 09:56:16 UTC
I suggest that the title should be changed to something like :" group membership not correctly displayed in ADCU"

It turns out that the problem that Samba do not support (yet) the primaryGroupToken that is used by ADCU to get the id of the group (it's its RID).
And from this value ADCU then do a search in the whole directory to find users of this group (that is users which have this RID as the value of their primaryGroupId attribute).

I managed to see correctly the group membership of Domain Users by editing the ldb and adding the attribute primaryGroupToken with a value of 513.

The solution to this problem is NOT to add this attribute to different groups but to implement a calculated only attribute that get the value of the RID as value.

This article http://support.microsoft.com/?scid=kb%3Ben-us%3B321360&x=17&y=15 explains that it's done this way in windows server.
Comment 5 Matthias Dieter Wallnöfer 2009-06-20 13:23:00 UTC
Good, if you prefer that kind of title, we are also fine!
Comment 6 Andrew Kroeger 2009-06-23 12:00:26 UTC
My apologies for not posting the results of my research into this bug earlier.  It would have saved Matthieu from doing redundant research.

I also determined the key attribute in this case is primaryGroupToken.  I had an IRC conversation (http://samba.sernet.de/irclog/2009/06/20090612-Fri.log) with abartlet regarding handling "constructed attributes" in a generic sense - not just for primaryGroupToken.

I am currently working on the implementation, and have primaryGroupToken working (mostly).  I have discovered some behavioral differences between S4 and AD that I need to work through, and then I need to implement the other constructed attributes that are currently needed.

As soon as I have a working baseline, I will post here for review.
Comment 7 Matthias Dieter Wallnöfer 2009-07-08 08:38:19 UTC
Andrew Kroeger, how far are you with your patch?
Comment 8 Matthias Dieter Wallnöfer 2009-08-12 04:33:22 UTC
Fixed through a patch from me.