Using ldapsam, any RID that contains a letter is truncated at the first letter occurance and returned with that value. For example: dn: gid=accounting,ou=groups,dc=mycompany,dc=com objectClass: posixGroup objectClass: sambaGroupMapping cn: example_group gidNumber: 2771 memberUid: testuser sambaGroupType: 2 sambaSID: S-1-5-21-S-1-5-21-2022155550-1266666646-777777747--ad3 net groupmap returns this listing with a null RID: accounting (S-1-5-21-S-1-5-21-2022155550-1266666646-777777747--0) -> accounting Further, A user with the following: sambaSID: S-1-5-21-S-1-5-21-2022155550-1266666646-777777747-4b0 shows up with the RID truncated at the first letter: pdbedit -L -v -u example_username: Unix username: example_username NT username: example_username Account Flags: [UX ] User SID: S-1-5-21-2022155550-1266666646-777777747-4 Primary Group SID: S-1-5-21-2022155550-1266666646-777777747-513
Indeed, we should fail to parse such a rid and bail out. It is not a valid format.
Given this only happens on incorrect manual ldap backend manipulation, of groups only (users do not suffer this bug) this really is minor
not going to fix this one. Can't prevent everything admins do (but shouldn't) outside of Samba.
database cleanup