[Samba] Issues with users and groups they belong to

Rowland Penny rowlandpenny at googlemail.com
Mon Jun 30 04:54:09 MDT 2014 

On 27/06/14 23:02, Marcelo Zabani wrote:
> Hello everyone,
>
> I'm having a problem with the replication of the Active Directory from a
> Windows Server 2003 r2 DC to a Samba 4.1.6 (Ubuntu 14.04) DC.
>
> The problem we have is that the *memberOf* attribute is missing on two
> users in the Samba ldap database after adding them to a group on the
> Windows DC. I can't easily add these through a Ldap administration tool and
> can't add them to the group through *samba-tool*. I've even tried removing
> them to be able to add them again to the group*,* but was not able to
> remove them from the group with samba-tool. The funny thing is that looking
> at the group through the Ldap tool shows that the user is in the group
> (only the *memberOf* attribute is missing).

You cannot directly add the 'memberOf' attribute, it can only be created 
by the system and is based on the 'member' attribute of the group. The 
attributes 'member' and 'memberOf', each have a ' linkID' attribute, 
these link them together and when the user is added to the group by the 
'member' attribute (which contains the users DN) being added to the 
groups DN stanza, the system creates the 'memberOf' attribute in the 
users DN stanza.

So, if you added a user to the group on the windows server and it is not 
fully replicating to your samba4 server, check that the problem does not 
start on the windows server, does the 'memberOf' attribute exist there?
If it does then you would seem to have a replication error, if it 
doesn't, then you need to remove the user from the group and try again.

Rowland
>
> The following shows some more detail:
>
> *DBCHECK:*
>
>
>
>
>
>
>
>
>
>
>
>
> *root at servernovo:/home/elite# samba-tool dbcheck Checking 1508 objects
> ERROR: missing backlink attribute 'memberOf' in CN=Aline Cristina
> Rodrigues,CN=Users,DC=escritorio,DC=elitecampinas,DC=com,DC=br for link
> member in
> CN=Financeiro2,CN=Users,DC=escritorio,DC=elitecampinas,DC=com,DC=br Not
> fixing missing backlink memberOf ERROR: missing backlink attribute
> 'memberOf' in CN=Tailane Silva dos Santos
> Almeida,CN=Users,DC=escritorio,DC=elitecampinas,DC=com,DC=br for link
> member in
> CN=Pedagogico,CN=Users,DC=escritorio,DC=elitecampinas,DC=com,DC=br Not
> fixing missing backlink memberOf ERROR: missing backlink attribute
> 'memberOf' in CN=Aline Cristina
> Rodrigues,CN=Users,DC=escritorio,DC=elitecampinas,DC=com,DC=br for link
> member in
> CN=Financeiro,CN=Users,DC=escritorio,DC=elitecampinas,DC=com,DC=br Not
> fixing missing backlink memberOf ERROR: missing backlink attribute
> 'memberOf' in CN=Tailane Silva dos Santos
> Almeida,CN=Users,DC=escritorio,DC=elitecampinas,DC=com,DC=br for link
> member in
> CN=Atendimento,CN=Users,DC=escritorio,DC=elitecampinas,DC=com,DC=br Not
> fixing missing backlink memberOf Please use --fix to fix these errors
> Checked 1508 objects (4 errors)*
>
>
> *REMOVING FROM GROUP:*
>
>
> *root at servernovo:/home/elite# samba-tool group removemembers pedagogico
> tailane*
> *../source4/dsdb/samdb/ldb_modules/linked_attributes.c:1132: failed to
> apply linked attribute change 'attribute 'memberOf': no matching attribute
> value while deleting attribute on 'CN=Tailane Silva dos Santos
> Almeida,CN=Users,DC=escritorio,DC=elitecampinas,DC=com,DC=br''*
> *dn:
> <GUID=ffd5b807-7464-47a8-8cc3-6373c32d9d03>;<SID=S-1-5-21-825060708-2637176727-2735268678-1497>;CN=Tailane
> Silva dos Santos
> Almeida,CN=Users,DC=escritorio,DC=elitecampinas,DC=com,DC=br*
> *changetype: modify*
> *delete: memberOf*
> *memberOf:
> <GUID=82614147-73fa-4501-bfd2-c758053cd84c>;<SID=S-1-5-21-825060708-*
> *2637176727-2735268678-1114>;CN=Pedagogico,CN=Users,DC=escritorio,DC=elitecamp*
> *inas,DC=com,DC=br*
>
>
> *../source4/dsdb/samdb/ldb_modules/linked_attributes.c:1208: Failed mod
> request ret=16 ERROR(ldb): Failed to remove members "tailane" from group
> "pedagogico" - attribute 'memberOf': no matching attribute value while
> deleting attribute on 'CN=Tailane Silva dos Santos
> Almeida,CN=Users,DC=escritorio,DC=elitecampinas,DC=com,DC=br'*
>
>
> I know I've asked a lot, but are there any resources on things that might
> go wrong when I shut down my Windows Server 2003 instance for good (keeping
> only our Samba DC)?
>
> Thanks in advance,
>
> Marcelo.

More information about the samba mailing list