Manually creating groupOfNames breaks MMC

[Matthias Dieter Wallnöfer]

Well, this should work - we've simply to ignore groups without SIDs.

Matthias

Adam Tauno Williams wrote:
> Should it be possible to create a "generic" groupOfNames object via
> ADSIEdit in Active Directory (Samba 4)?
>
> We have some applications that use their own groups, these aren't and
> don't correspond to domain groups, so I created an ou like we have in
> our OpenLDAP Dit and added some groupOfNames objects via the ADSIEdit
> snap-ip in MMC.  That seemed to work well.
>
> Then I went to the "Active Directory Users and Groups" snap-in and MMC
> crashed.  Things seemed generally broken.  Looking in the samba.log I
> see -
> [Wed Dec  1 15:05:16 2010 EST,
> 0 ../rpc_server/drsuapi/writespn.c:230:dcesrv_drsuapi_DsWriteAccountSpn()]
> Failed to modify SPNs on
> CN=PC02790,CN=Computers,DC=ad,DC=mormail,DC=com: error in module acl:
> insufficient access rights (50)
> [Wed Dec  1 15:53:22 2010 EST,
> 0 ../auth/sam.c:331:authsam_expand_nested_groups()]
> ../auth/sam.c:331: when parsing DN
> <GUID=a0c6d073-0855-48cb-a278-fc37b26b6a46>;CN=cis,OU=Groups,OU=XMPP,OU=MI Services,DC=ad,DC=mormail,DC=com we failed to find our SID component, so we cannot calculate the group token: NT_STATUS_OBJECT_NAME_NOT_FOUND
> [Wed Dec  1 15:57:21 2010 EST,
> 0 ../auth/sam.c:331:authsam_expand_nested_groups()]
> ../auth/sam.c:331: when parsing DN
> <GUID=a0c6d073-0855-48cb-a278-fc37b26b6a46>;CN=cis,OU=Groups,OU=XMPP,OU=MI Services,DC=ad,DC=mormail,DC=com we failed to find our SID component, so we cannot calculate the group token: NT_STATUS_OBJECT_NAME_NOT_FOUND
> [Wed Dec  1 16:01:11 2010 EST,
> 0 ../rpc_server/drsuapi/writespn.c:230:dcesrv_drsuapi_DsWriteAccountSpn()]
> Failed to modify SPNs on
> CN=PC02790,CN=Computers,DC=ad,DC=mormail,DC=com: error in module acl:
> insufficient access rights (50)
>
> It looks like my newly created objects broke things.  Would this work on
> a true AD server?
>
>
>