deleting group using usgmgr on Samba3.0.1 rc2

Aurélien Degrémont adegremont at
Tue Dec 16 10:12:37 GMT 2003


This problem was already discuss here, and it's clear for me that Samba 
must not try to delete the posix part first. As Samba rely on posix 
accounts, it seems normal, that, when deleting accounts, they must be 
removed starting by the Samba layer, and after the Posix layer. This 
doesn't add problems for any backends, except LDAP. So I totally agree 
with Jianliang, but, this modification must not be done alone.
As code consistency matters, according to me, this code inversion should 
not only do for groups deletions, but all deletions, so users too.

I tried patching this, it's ok, but another problem appeared when 
removing users with LDAPSAM.
The present ldapsam code try to remove the sambaSamAccount class and all 
its attributes, as requested by the ldap server. But, some class 
attributes are also requested by other classes the entry could have (ie. 
uid field is needed by PosixAccount and sambaSamAccount). As a 
consequence, the request doesn't succeeded.
So the ldapsam code should be adapted to correct this behaviour. I try 
to do it, but i'm not a ldap specialist, and i don't manage to do it.
I hope you've got solutions.

Aurélien Degrémont

Jianliang Lu wrote:

>We would propose the following patch to fix a problem of "group delete"
>using usrmgr. With the LDAPSAM backend when we delete a domain group 
>using usrmgr we got the NT_STATUS_ACCESS_DENIED, because the group 
>was first deleted by the "delete group script" ( and then 
>was again deleted by pdb_delete_group_mapping_entry(group_sid)) that can't 
>find such group in ldap, so return NT_STATUS_ACCESS_DENIED. With LDAP backend 
>a group cannot exist without the gid in database, so there is not any script 
>that delete only the posixgroup leaving the SambaSID attribute of group in 
>database, instead, you can delete the group's SambaSID leaving only the 
>--- samba-3.0.1rc2/source/rpc_server/srv_samr_nt.c.orig	Fri Dec 12 17:25:49 
>+++ samba-3.0.1rc2/source/rpc_server/srv_samr_nt.c	Fri Dec 12 17:36:38 
>@@ -3827,6 +3827,10 @@
> 	if ( (grp=getgrgid(gid)) == NULL)
>+    /* First delete group mapping */
>+	if(!pdb_delete_group_mapping_entry(group_sid))
> 	/* we can delete the UNIX group */
> 	smb_delete_group(grp->gr_name);
>@@ -3834,8 +3838,6 @@
> 	if ( (grp=getgrgid(gid)) != NULL)
>-	if(!pdb_delete_group_mapping_entry(group_sid))
> 	if (!close_policy_hnd(p, &q_u->group_pol))
>Jianliang Lu
>TieSse s.p.a.     Ivrea (To) - Italy
> at   luj at

More information about the samba-technical mailing list