The Samba-Bugzilla – Bug 6466
ADUC: Group membership not correctly displayed
Last modified: 2009-08-12 04:33:22 UTC
When Creating a new user in Samba4 Via ADUC they are not being added auto to Domain Users.
U have to do it manunaly.
Using Debian Lenny AMD 64, Samba4 Pre-Alpha 8 OpenLdap 2.4.16
I think that's the "member"/"memberOf" attributes issue. We'll have to wait until it's implemented correctly.
Don't worry, when I comes to checking rights for group Domain Users, group membership works.
I just dig into an email of tridge in 2005:
And recheck against a samba4 and w2k3 server.
It appear that when browsing Domain Users in w2k3 and s4 they **look** the same.
But of course when using aduc then it's different, as w2k3 display correctly the users as member of the group.
I suppose that there is a subtle difference, the best is to trace this with wireshark in order to see what's going on ...
I've done and I found some informations.
At the begining missing display-specifier are blocking adcu to perform some request.
Then it turns out that adcu perform two kind of search for group membership:
* searching the whole subtree for object with attribute primaryGroupID=xxx and samAccountType < 805306369
* searching the group for attribute member
With XP against a recent (8 june 2009 changeset) samba4, ADCU is using xxx=0 which of course didn't return good result. (it should be 513 for instance for domain users group).
We could thought that it's a ADCU problem but as it's working agains w2K3 then it's defenitly that something returned by samba4 that is not exactly as w2k3 and it fools ADCU.
I suggest that the title should be changed to something like :" group membership not correctly displayed in ADCU"
It turns out that the problem that Samba do not support (yet) the primaryGroupToken that is used by ADCU to get the id of the group (it's its RID).
And from this value ADCU then do a search in the whole directory to find users of this group (that is users which have this RID as the value of their primaryGroupId attribute).
I managed to see correctly the group membership of Domain Users by editing the ldb and adding the attribute primaryGroupToken with a value of 513.
The solution to this problem is NOT to add this attribute to different groups but to implement a calculated only attribute that get the value of the RID as value.
This article http://support.microsoft.com/?scid=kb%3Ben-us%3B321360&x=17&y=15 explains that it's done this way in windows server.
Good, if you prefer that kind of title, we are also fine!
My apologies for not posting the results of my research into this bug earlier. It would have saved Matthieu from doing redundant research.
I also determined the key attribute in this case is primaryGroupToken. I had an IRC conversation (http://samba.sernet.de/irclog/2009/06/20090612-Fri.log) with abartlet regarding handling "constructed attributes" in a generic sense - not just for primaryGroupToken.
I am currently working on the implementation, and have primaryGroupToken working (mostly). I have discovered some behavioral differences between S4 and AD that I need to work through, and then I need to implement the other constructed attributes that are currently needed.
As soon as I have a working baseline, I will post here for review.
Andrew Kroeger, how far are you with your patch?
Fixed through a patch from me.