Vedr. Re: Samba 4 ADUC add group in "member of" does not work

Andrew Bartlett abartlet at samba.org
Mon Dec 10 01:59:11 GMT 2007 

On Sun, 2007-12-09 at 17:47 +0100, Harry Chinatzki wrote:
> > 
> > On Sat, 2007-12-08 at 12:10 +0100, Harry Chinatzki
> > wrote:
> > > When i try to add a group ( i choose "domain
> > admins") to a user (i choose "administrator") all
> > works fine until I push the OK button. Then I get:
> > > 
> > > "The following active directory error has occured:
> > The data is invalid"
> > > 
> > > in the log of samba4 it just say:
> > > 
> > > ldb: objectguid_add_record
> > > 
> > > I'm using samba4 svn-download from 7. des2007 as
> > domain controller ann
> > > a windows 2003 server as memberserver and client
> > from which I user
> > > ADUC. Everything else is default.
> > > 
> > > Why does add group not work ?
> > 
> > Have you done a provision with that code, or is this
> > a setup from
> > earlier?
> I provision with fresh code. 

Thanks. 

> > 
> > This is meant to all work, and worked when I last
> > tested it, so we need
> > to chase it down some more...
> >
> I can see now that  the group actually is added, but
> all groups except primary-group is invisibel from
> ADUC-memberof. I only get the "invalid data" error
> when I try to add an additional group a second time
> (because I don't see it in ADUC-memberof).
> The additional groups works fine for me at the
> file-security-level.  
>  
> In adsiedit.msc I can see that the additional group is
> added to memberOf-attribute, but there is no
> tokenGroup-attribute.
> Maybe the aditional groups are invisible in ADUC 
> because the tokenGroup attribute is missing from the
> user -ldapentry. I've read that some apps use the
> tokenGroup-attribute to enumerate user-groups.

In my experience MMC uses the memberOf attribute with ranged results to
do this search.  Could you possibly get me a trace (with wireshark) of
the network traffic? 

I might be able to see some more detail there. Please include the keytab
from the private directory to decrypt any encrypted traffic (assuming
this is a test network, without sensitive passwords). 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20071210/ef9c7bf2/attachment.bin

More information about the samba-technical mailing list