Samba4 primaryGroupID problem

Matthias Dieter Wallnöfer mdw at
Wed May 2 09:24:05 MDT 2012

Hi steve,

the question is how you are performing the modifications. It seems that 
somehow our SAMDB LDB modules get omitted.

Could it be that you are using operations like "ldbmodify"/"ldbedit" -H 
/usr/local/samba/private/sam.ldb.d/<something>.ldb? The files under 
"sam.ldb.d" are the real (internal) data files of our AD-like database 
and should *never* be accessed directly unless you know what you are doing.

Hence please always access using the "sam.ldb" file directly under the 
"private" directory (as "root") or the IP address with administrator 
user+password as a "-H" parameter. For other name contexts (schema, 
configuration) you need to provide the appropriate "-b" argument as well.

Summed up it is a serious issue. You might also try to do a complete s4 
rebuild if the problem persists.

Matthias Wallnöfer

steve schrieb:
> On 05/01/2012 08:40 PM, steve wrote:
>> On 05/01/2012 06:58 PM, Matthias Dieter Wallnöfer wrote:
>>> Hi steve,
>>> steve schrieb:
>>>> Hi
>>>> user steve2
>>>> memberOf: cn=laser,cn=Users,dc=foo,dc=bar
>>>> primaryGroupID: 513
>>>> After setting primaryGroupID for steve2 to 'laser' by replacing the 
>>>> primaryGroupID 513 with that of 'laser', 1108 in this case, the 
>>>> memberOf attribute remains.
>>> the "memberOf" attribute which refers to "CN=Domain 
>>> Users,CN=Users,..."? This is correct AD behaviour.
>>>> Reverting steve2 to primaryGroupID 513 and then attempting to 
>>>> remove the group membership:
>>>> samba-tool group removemembers laser steve2
>>>> completes but the attribute remains.
>>>> using ldbedit in an attempt to remove it gives:
>>>> failed to modify CN=steve2,CN=Users,DC=polop,DC=site - LDAP error 
>>>> 53 LDAP_UNWILLING_TO_PERFORM - <00002035: objectclass_attrs: 
>>>> attribute 'memberOf' on entry 'CN=steve2,CN=Users,DC=polop,DC=site' 
>>>> must not be modified directly, it is a linked attribute> <>
>>> You cannot change "memberOf" directly, only the "member" attributes 
>>> on the group objects (in this case "cn=laser, cn=Users,...") are 
>>> writeable/deletable.
>>>> Any ideas?
>>>> Cheers,
>>>> Steve
>> steve2 begins life as a member of Domain Users (513). He is a member 
>> by primaryGroupID. He does not have a member attribute in Domain Users.
>> I add steve2 to laser:
>> samba-tool group addmembers laser steve2
>> steve2 now has a memberOf attribute under dn:steve2 and there is also 
>> a member attribute under dn: laser
>> I now change the primaryGroupID of steve2 to laser (1108). The 
>> memberOf attribute should be removed as steve2 is now a member of 
>> laser via primaryGroupID, not by memberOf. However, the attribute 
>> remains and I have to run:
>> samba-tool dbcheck --fix
>> to correct it.
>> Cheers,
>> Steve
> Hi again,
> Further:
> If I set steve2 back to primayGroupID Domain Users (513) and then run
>  samba-tool group removemembers laser steve2
> it does not delete the entry even though it completes without error.
> Cheers,
> Steve

More information about the samba-technical mailing list