[IPA] Samba storing extended DN in Fedora DS

Endi Sukma Dewata edewata at redhat.com
Fri Oct 2 13:50:54 MDT 2009

Hi Andrew,

I'm trying to get Samba working with the soon-to-be-released DS 1.2.3.
The new DS imposes a stricter schema checking which causes a problem
during provisioning:

Failed to apply linked attribute change 'LDAP error 21
LDAP_INVALID_ATTRIBUTE_SYNTAX -  <memberOf: value #0 invalid per syntax
> <>' dn: CN=Administrator,CN=Users,DC=samba,DC=example,DC=com
changetype: modify
add: memberOf
memberOf: <GUID=cf7c7df9-aed5-11de-b258-ad016abdf0a2>;<SID=S-1-5-21-2567418026
 -1981856597-2036233384-519>;CN=Enterprise Admins,CN=Users,DC=samba,DC=example

It appears that the linked_attributes LDB module in sam.ldb is trying to create
a backlink by storing an extended DN in a memberOf attribute which uses a DN
syntax ( In the older DS version this still
works, but the new DS version no longer accepts it.

See source4/dsdb/samdb/ldb_modules/linked_attributes.c line 1119 and 1121:

ret_el->values[0] = data_blob_string_const(
    ldb_dn_get_extended_linearized(new_msg, ac->add_dn, 1));

If I change it to use the regular DN at least the provisioning would complete:

ret_el->values[0] = data_blob_string_const(

The problem doesn't happen with the default TDB backend. The problem also
doesn't happen with OpenLDAP backend because OpenLDAP doesn't use this module.

What should be the right behavior? Can a backlink work with just a regular DN?
Should the linked_attributes be modified to use a regular DN? Or should the
syntax be changed to something else? Thanks!

Endi S. Dewata

More information about the samba-technical mailing list