[Samba] BUG : ldif "dn" prefixes case sensitivity (and primaryGroupID module)
Rowland Penny
rowlandpenny at googlemail.com
Wed Oct 8 11:14:16 MDT 2014
On 08/10/14 16:45, Prunk Dump wrote:
> Hi samba team !
>
> I have found a very strange bug when changing my user's primaryGroupID
> with ldif files. The bug is very easy to reproduce :
>
> 1) Create a user, create a group, add the user to the group
> -------------------------------
> ~# samba-tool user add stduser
> User 'stduser' created successfully
>
> ~# samba-tool group add stdgroup
> Added group stdgroup
>
> ~# samba-tool group addmembers stdgroup stduser
> Added members to group stdgroup
> -------------------------------
>
> 2) Get the group sid, and change the user's primaryGroupID with the dn
> prefixes in lower case :
> -------------------------------
> ~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=stduser)' cn
> primaryGroupID memberOf
> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
> cn: stduser
> primaryGroupID: 513
> memberOf: CN=stdgroup,CN=Users,DC=my,DC=example,DC=com
>
> ~# wbinfo --name-to-sid=stdgroup
> S-1-5-21-1691533938-518786298-626738373-3385 SID_DOM_GROUP (2)
>
> ~# cat /tmp/chggrp.ldif
> dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
> changetype: modify
> replace: primarygroupid
> primarygroupid: 3385
>
> ~# ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/chggrp.ldif
> Modified 1 records successfully
> -------------------------------
>
> 3) Now it's impossible to remove the user from the "Domain Users"
> group ! And there are errors in the ldb base !
> The group membership is one time written with lower case prefixes and
> one time with upper case prefixes :
> -------------------------------
> ~# samba-tool group removemembers "Domain Users" stduser
> Removed members from group Domain Users
>
> ~# samba-tool group listmembers "Domain Users" | grep stduser
> stduser
>
> ~# samba-tool dbcheck | grep stduser
> ERROR: incorrect DN string component for member in object CN=Domain
> Users,CN=Users,DC=my,DC=example,DC=com -
> <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com
> ERROR: orphaned backlink attribute 'memberOf' in
> CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in
> CN=Domain Users,CN=Users,DC=my,DC=example,DC=com
> -------------------------------
>
> !! If the dn prefixes are written in upper case like below, there are
> no problems !!
> -------------------------------
> ~# cat /tmp/chggrp2.ldif
> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
> changetype: modify
> replace: primarygroupid
> primarygroupid: 3385
> -------------------------------
>
> The problem occur when the primaryGroupID is changed and when the
> "memberOf" attribute need to be added. The case is not checked.
>
> Thanks !
Hi, why are you trying to remove a user from Domain Users ? I take it
that you don't want them to access the network etc. If you examine
**any** AD user, you will not find a 'memberOf' attribute pointing to
'Domain Users', also you do not add or remove the 'memberOf' attribute,
AD does this for you when you add/remove a user to/from a group.
You can change a users primarygroupid, but there is little point to this
and it entails a lot of hassle, I would suggest doing what most people
do, create a group, add the user to this group and then use ACL's to
restrict access to members of this group on any shares etc.
Rowland
More information about the samba
mailing list