deleting group using usgmgr on Samba3.0.1 rc2
adegremont at idealx.com
Tue Dec 16 10:12:37 GMT 2003
This problem was already discuss here, and it's clear for me that Samba
must not try to delete the posix part first. As Samba rely on posix
accounts, it seems normal, that, when deleting accounts, they must be
removed starting by the Samba layer, and after the Posix layer. This
doesn't add problems for any backends, except LDAP. So I totally agree
with Jianliang, but, this modification must not be done alone.
As code consistency matters, according to me, this code inversion should
not only do for groups deletions, but all deletions, so users too.
I tried patching this, it's ok, but another problem appeared when
removing users with LDAPSAM.
The present ldapsam code try to remove the sambaSamAccount class and all
its attributes, as requested by the ldap server. But, some class
attributes are also requested by other classes the entry could have (ie.
uid field is needed by PosixAccount and sambaSamAccount). As a
consequence, the request doesn't succeeded.
So the ldapsam code should be adapted to correct this behaviour. I try
to do it, but i'm not a ldap specialist, and i don't manage to do it.
I hope you've got solutions.
Jianliang Lu wrote:
>We would propose the following patch to fix a problem of "group delete"
>using usrmgr. With the LDAPSAM backend when we delete a domain group
>using usrmgr we got the NT_STATUS_ACCESS_DENIED, because the group
>was first deleted by the "delete group script" (smblda-groupdel.pl) and then
>was again deleted by pdb_delete_group_mapping_entry(group_sid)) that can't
>find such group in ldap, so return NT_STATUS_ACCESS_DENIED. With LDAP backend
>a group cannot exist without the gid in database, so there is not any script
>that delete only the posixgroup leaving the SambaSID attribute of group in
>database, instead, you can delete the group's SambaSID leaving only the
>--- samba-3.0.1rc2/source/rpc_server/srv_samr_nt.c.orig Fri Dec 12 17:25:49
>+++ samba-3.0.1rc2/source/rpc_server/srv_samr_nt.c Fri Dec 12 17:36:38
>@@ -3827,6 +3827,10 @@
> if ( (grp=getgrgid(gid)) == NULL)
> return NT_STATUS_NO_SUCH_GROUP;
>+ /* First delete group mapping */
>+ return NT_STATUS_ACCESS_DENIED;
> /* we can delete the UNIX group */
>@@ -3834,8 +3838,6 @@
> if ( (grp=getgrgid(gid)) != NULL)
> return NT_STATUS_ACCESS_DENIED;
>- return NT_STATUS_ACCESS_DENIED;
> if (!close_policy_hnd(p, &q_u->group_pol))
> return NT_STATUS_OBJECT_NAME_INVALID;
>TieSse s.p.a. Ivrea (To) - Italy
>j.lu at tiesse.com luj at libero.it
More information about the samba-technical