Samba4 primaryGroupID problem
steve
steve at steve-ss.com
Tue May 1 12:40:00 MDT 2012
On 05/01/2012 06:58 PM, Matthias Dieter Wallnöfer wrote:
> Hi steve,
>
> steve schrieb:
>> Hi
>> user steve2
>> memberOf: cn=laser,cn=Users,dc=foo,dc=bar
>> primaryGroupID: 513
>>
>>
>> After setting primaryGroupID for steve2 to 'laser' by replacing the
>> primaryGroupID 513 with that of 'laser', 1108 in this case, the
>> memberOf attribute remains.
> the "memberOf" attribute which refers to "CN=Domain
> Users,CN=Users,..."? This is correct AD behaviour.
>>
>> Reverting steve2 to primaryGroupID 513 and then attempting to remove
>> the group membership:
>>
>> samba-tool group removemembers laser steve2
>> completes but the attribute remains.
>>
>> using ldbedit in an attempt to remove it gives:
>> failed to modify CN=steve2,CN=Users,DC=polop,DC=site - LDAP error 53
>> LDAP_UNWILLING_TO_PERFORM - <00002035: objectclass_attrs: attribute
>> 'memberOf' on entry 'CN=steve2,CN=Users,DC=polop,DC=site' must not be
>> modified directly, it is a linked attribute> <>
> You cannot change "memberOf" directly, only the "member" attributes on
> the group objects (in this case "cn=laser, cn=Users,...") are
> writeable/deletable.
>>
>> Any ideas?
>> Cheers,
>> Steve
steve2 begins life as a member of Domain Users (513). He is a member by
primaryGroupID. He does not have a member attribute in Domain Users.
I add steve2 to laser:
samba-tool group addmembers laser steve2
steve2 now has a memberOf attribute under dn:steve2 and there is also a
member attribute under dn: laser
I now change the primaryGroupID of steve2 to laser (1108). The memberOf
attribute should be removed as steve2 is now a member of laser via
primaryGroupID, not by memberOf. However, the attribute remains and I
have to run:
samba-tool dbcheck --fix
to correct it.
Cheers,
Steve
More information about the samba-technical
mailing list