9933 – "net rpc group addmem/delmem" ignores the "managedBy" group attribute

Bug 9933 - "net rpc group addmem/delmem" ignores the "managedBy" group attribute

Summary: "net rpc group addmem/delmem" ignores the "managedBy" group attribute

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 3.6
Classification:	Unclassified
Component:	Client Tools (show other bugs)
Version:	3.6.6
Hardware:	All All

Importance:	P5 normal
Target Milestone:	---
Assignee:	Volker Lendecke
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-06-06 01:54 UTC by Abraham Alawi (dead mail address)
Modified:	2021-08-05 12:34 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Abraham Alawi (dead mail address) 2013-06-06 01:54:35 UTC

"net rpc group addmem/delmem" ignores the "managedBy" group attribute. 

Typically, the AD ACL group has the following attributes:
cn
description
distinguishedName
dSCorePropagationData
gidNumber
groupType
info
instanceType
managedBy
member
name
objectCategory
objectClass
objectGUID
objectSid
sAMAccountName
sAMAccountType
uSNChanged
uSNCreated
whenChanged
whenCreated

The “managedBy“ attribute refers to another ACL group that can manage this group (i.e. add/remove users). It looks like "net rpc group addmem/delmem" only makes an LDAP modify request to the AD, so unless you have LDAP write access (e.g. Domain Admin) you won’t be able to modify the group. In other words, it ignores the special “managedBy” attribute. 

Thanks,

  -- Abraham

Comment 1 Volker Lendecke 2021-08-05 12:34:20 UTC

"net rpc group" does not use LDAP, it uses the SAMR rpc pipe. But even if we were using LDAP, I don't see why addmem/delmem would have to take care of the managed-by attribute. Metze, correct me if I'm wrong here please....