Samba4 primaryGroupID problem

steve steve at
Tue May 1 12:40:00 MDT 2012

On 05/01/2012 06:58 PM, Matthias Dieter Wallnöfer wrote:
> Hi steve,
> steve schrieb:
>> Hi
>> user steve2
>> memberOf: cn=laser,cn=Users,dc=foo,dc=bar
>> primaryGroupID: 513
>> After setting primaryGroupID for steve2 to 'laser' by replacing the 
>> primaryGroupID 513 with that of 'laser', 1108 in this case, the 
>> memberOf attribute remains.
> the "memberOf" attribute which refers to "CN=Domain 
> Users,CN=Users,..."? This is correct AD behaviour.
>> Reverting steve2 to primaryGroupID 513 and then attempting to remove 
>> the group membership:
>> samba-tool group removemembers laser steve2
>> completes but the attribute remains.
>> using ldbedit in an attempt to remove it gives:
>> failed to modify CN=steve2,CN=Users,DC=polop,DC=site - LDAP error 53 
>> LDAP_UNWILLING_TO_PERFORM - <00002035: objectclass_attrs: attribute 
>> 'memberOf' on entry 'CN=steve2,CN=Users,DC=polop,DC=site' must not be 
>> modified directly, it is a linked attribute> <>
> You cannot change "memberOf" directly, only the "member" attributes on 
> the group objects (in this case "cn=laser, cn=Users,...") are 
> writeable/deletable.
>> Any ideas?
>> Cheers,
>> Steve
steve2 begins life as a member of Domain Users (513). He is a member by 
primaryGroupID. He does not have a member attribute in Domain Users.

I add steve2 to laser:
samba-tool group addmembers laser steve2

steve2 now has a memberOf attribute under dn:steve2 and there is also a 
member attribute under dn: laser

I now change the primaryGroupID of steve2 to laser (1108). The memberOf 
attribute should be removed as steve2 is now a member of laser via 
primaryGroupID, not by memberOf. However, the attribute remains and I 
have to run:

samba-tool dbcheck --fix
to correct it.


More information about the samba-technical mailing list