[Samba] Samba4: error in schema?

Sun Mar 18 01:19:26 MDT 2012

Hi
There seems to be a discrepancy in the s4 schema concerning security groups.
Domain Users comes with gidNumber: 100. This is however contrary to what 
the schema allows. You can show this as follows:

Create a new group. samba-tool group add mygroup.
Use phpldapadmin to add the gidNumber attribute.

There is an error because gidNumber is provided by the posixGroup class 
and that objectclass is not present by default.

No problem. We add objectClass: posixGroup and then we can add 
gidNumber: xxx just fine.

This however throws up another error in that mygroup is now not a 
security group but a posix group and the ability to view and manipulate 
group members is not available in Active Directory Computers and Users 
(ADCU). We made the folllowing observations:

1. The members tabs are missing from mygroup properties in ADCU
2. you can still use samba-tool group addmembers to manipulate the groups
3. you can still select and change primary group for a user in ADCU
4. you can add users to the group under phpldapadmin but the users who 
are already members are not displayed. An error is however correctly 
displayed if you try to add a user who is already a member.
5. You can still manipulate the posixGroup as if it were a security 
group, set acl's and permissions etc from the security tab of a file or 
folder.
6. You can use a big hammer to add attributes that you should not be 
able to add. e.g. you can add gidNumber without the objectClass (which 
supplies gidNumber) being present using ldapmodify or ldbmodify.
7. posixAccount and its associated attributes work exactly as advertised 
in the schema.

Conclusion:
This is simply an inconvenience. Everything works as expected except 
being able to view the members that are in a group either in ADCU or 
phpldapadmin _after_ you have added objectClass: posixGroup to it.

Why does adding the posixGroup Class knock out the ability to be able to 
view group membership? Is this an error in the posixGroup schema?  Is it 
an aim that s4 be an _exact_ replacement for m$ AD?
Is this the schema that is used?

from: MS-AD_Schema_2K8_R2_Classes, under 
/usr/local/samba/share/setup/ad-schema
cn: PosixAccount
ldapDisplayName: posixAccount
governsId: 1.3.6.1.1.1.2.0
objectClassCategory: 3
rdnAttId: uid
subClassOf: top
mayContain: uid, cn, uidNumber, gidNumber, 
unixHomeDirectory,homeDirectory, userPassword, unixUserPassword, 
loginShell, gecos,description
schemaIdGuid:ad44bb41-67d5-4d88-b575-7b20674e76d8
defaultSecurityDescriptor: 
D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: 
CN=PosixAccount,CN=Schema,CN=Configuration,<RootDomainDN>

cn: PosixGroup
ldapDisplayName: posixGroup
governsId: 1.3.6.1.1.1.2.2
objectClassCategory: 3
rdnAttId: cn
subClassOf: top
mayContain: cn, userPassword, unixUserPassword, description,gidNumber, 
memberUid
schemaIdGuid:2a9350b8-062c-4ed0-9903-dde10d06deba
defaultSecurityDescriptor: 
D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: 
CN=PosixGroup,CN=Schema,CN=Configuration,<RootDomainDN>

There are full details of what we have tried with screenshots in the 
latter part of this bugzilla:

https://bugzilla.samba.org/show_bug.cgi?id=8635

Please let us know if there is anything we can test.

Cheers,
Steve
(Could someone fwd to samba-tecnical?)