Samba4 primaryGroupID problem

Lukasz Zalewski lukas at eecs.qmul.ac.uk
Thu May 3 05:15:27 MDT 2012 

On 02/05/12 18:44, steve wrote:
> On 02/05/12 17:24, Matthias Dieter Wallnöfer wrote:
>> Hi steve,
>>
>> the question is how you are performing the modifications. It seems that
>> somehow our SAMDB LDB modules get omitted.
>>
>> Could it be that you are using operations like "ldbmodify"/"ldbedit" -H
>> /usr/local/samba/private/sam.ldb.d/<something>.ldb? The files under
>> "sam.ldb.d" are the real (internal) data files of our AD-like database
>> and should *never* be accessed directly unless you know what you are
>> doing.
>>
>> Hence please always access using the "sam.ldb" file directly under the
>> "private" directory (as "root") or the IP address with administrator
>> user+password as a "-H" parameter. For other name contexts (schema,
>> configuration) you need to provide the appropriate "-b" argument as well.
>>
>> Summed up it is a serious issue. You might also try to do a complete s4
>> rebuild if the problem persists.
>>
>> Cheers,
>> Matthias Wallnöfer
>>
> Hi Matthias
>
> We're not accessing files in sam.ldb.d
>
> The LDAP is accessed in as correct a way as possible:
>
> ldbmodify --url=ldap://$host --krb5-ccache=$ccache
> dn: cn=$2,cn=Users,$basedn
> changetype: modify
> replace: primaryGroupID
> primaryGroupID: $primarygid
>
> I think that's the correct way.
>
> examples would be:
> $host hh1.hh3.site
> $ccache /tmp/krb5cc_0
> $2 steve2
> $basedn dc=hh3,dc=site
> $primarygid 1118 (cut as the last field of the SID of laser)
>
> The primaryGroupID is changed fine. It's just worrying to have to run
> dbcheck --fix afterward.
>
> Reproduced on two separate builds: Ubuntu 12.04, of 2 days ago and
> openSUSE 12.1 built over 2 weeks ago. I shall try new git and rebuild too.
>
> Cheers,
> Steve

Hi Matthias, Steve
I have run some tests on Version 4.0.0alpha21-GIT-afa1d22 and noticed 
the problem too. Below is a test case scenario that i have used:

./samba-tool user add bar --random-password --userou='OU=Domain Users' 
-H ldap://myS4dc -k yes -U Administrator
User 'bar' created successfully
./samba-tool dbcheck
Checking 343 objects
Checked 343 objects (0 errors)

./samba-tool group add bargroup --groupou='OU=Domain Groups' -H 
ldap://myS4dc -k yes -U Administrator
Added group bargroup
./samba-tool dbcheck
Checking 344 objects
Checked 344 objects (0 errors)

./ldbsearch -H ldap://myS4dc -k yes '(CN=bar)' primaryGroupID memberOf
# record 1
dn: CN=bar,OU=Domain Users,DC=X
primaryGroupID: 513

./ldbsearch -H ldap://myS4dc -k yes '(CN=bargroup)' member objectSid
# record 1
dn: CN=bargroup,OU=Domain Groups,DC=X
objectSid: S-1-5-21-2098455588-1089388874-3731015120-1135

./samba-tool group addmembers bargroup bar -H ldap://myS4dc -k yes -U 
Administrator
Added members to group bargroup
./samba-tool dbcheck
Checking 344 objects
Checked 344 objects (0 errors)

./ldbsearch -H ldap://myS4dc -k yes '(CN=bargroup)' member objectSid
# record 1
dn: CN=bargroup,OU=Domain Groups,DC=X
objectSid: S-1-5-21-2098455588-1089388874-3731015120-1135
member: CN=bar,OU=Domain Users,DC=X

./ldbsearch -H ldap://myS4dc -k yes '(CN=bar)' primaryGroupID memberOf
# record 1
dn: CN=bar,OU=Domain Users,DC=X
primaryGroupID: 513
memberOf: CN=bargroup,OU=Domain Groups,DC=X

./ldbedit -H ldap://myS4dc -k yes '(CN=bar)'
Changed primaryGroupID to 1131 (RID of bargroup)
# 0 adds  1 modifies  0 delete

./ldbsearch -H ldap://myS4dc -k yes '(CN=bar)' primaryGroupID memberOf
# record 1
dn: CN=bar,OU=Domain Users,DC=X
memberOf: CN=Domain Users,CN=Users,DC=X
primaryGroupID: 1135

./ldbsearch -H ldap://myS4dc -k yes '(CN=bargroup)' member objectSid
# record 1
dn: CN=bargroup,OU=Domain Groups,DC=X
objectSid: S-1-5-21-2098455588-1089388874-3731015120-1135

But
./samba-tool dbcheck
Checking 344 objects
ERROR: orphaned backlink attribute 'memberOf' in CN=bar,OU=Domain 
Users,DC=X for link member in CN=Domain Users,CN=Users,DC=X
Not removing orphaned backlink member
ERROR: incorrect DN string component for member in object CN=Domain 
Users,CN=Users,DC=X - 
<GUID=762c38c2-f7c7-4915-87f0-bf189abb553e>;CN=bar,OU=Domain Users,DC=X
Not fixing incorrect string version of DN
./samba-tool dbcheck --fix
./samba-tool dbcheck
Checking 344 objects
Checked 344 objects (0 errors)


./ldbedit -H ldap://myS4dc -k yes '(CN=bar)'
Changed primaryGroupID to 513 (RID of Domain Users)
# 0 adds  1 modifies  0 deletes

./ldbsearch -H ldap://myS4dc -k yes '(CN=bar)' primaryGroupID memberOf
# record 1
dn: CN=bar,OU=Domain Users,DC=X
memberOf: CN=bargroup,OU=Domain Groups,DC=X
primaryGroupID: 513

./ldbsearch -H ldap://myS4dc -k yes '(CN=bargroup)' member objectSid
# record 1
dn: CN=bargroup,OU=Domain Groups,DC=X
objectSid: S-1-5-21-2098455588-1089388874-3731015120-1135
member: CN=bar,OU=Domain Users,DC=X

But again:
./samba-tool dbcheck
Checking 344 objects
ERROR: orphaned backlink attribute 'memberOf' in CN=bar,OU=Domain 
Users,DC=X for link member in CN=bargroup,OU=Domain Groups,DC=X
Not removing orphaned backlink member
ERROR: incorrect DN string component for member in object 
CN=bargroup,OU=Domain Groups,DC=X - 
<GUID=762c38c2-f7c7-4915-87f0-bf189abb553e>;CN=bar,OU=Domain Users,DC=X
Not fixing incorrect string version of DN


So it seems that the corruption happens when the primaryGroupID is 
changed (although visually inspecting the attributes does not indicate 
the problem, i.e. member/memberOf and primaryGroupID are 
modified/removed correctly)

I have tested this using operations directly on sam.ldb (using
-H /usr/local/samba/private/sam.ldb) and also using AD Users and 
Computers and the problem happens exactly in the same place (when the 
primaryGroupID is changed)

HTH

L

More information about the samba-technical mailing list