Samba4 primaryGroupID problem

steve steve at
Thu May 3 08:32:57 MDT 2012

On 03/05/12 13:15, Lukasz Zalewski wrote:
> On 02/05/12 18:44, steve wrote:
>> On 02/05/12 17:24, Matthias Dieter Wallnöfer wrote:
>>> Hi steve,
>>> the question is how you are performing the modifications. It seems that
>>> somehow our SAMDB LDB modules get omitted.
>>> Could it be that you are using operations like "ldbmodify"/"ldbedit" -H
>>> /usr/local/samba/private/sam.ldb.d/<something>.ldb? The files under
>>> "sam.ldb.d" are the real (internal) data files of our AD-like database
>>> and should *never* be accessed directly unless you know what you are
>>> doing.
>>> Hence please always access using the "sam.ldb" file directly under the
>>> "private" directory (as "root") or the IP address with administrator
>>> user+password as a "-H" parameter. For other name contexts (schema,
>>> configuration) you need to provide the appropriate "-b" argument as
>>> well.
>>> Summed up it is a serious issue. You might also try to do a complete s4
>>> rebuild if the problem persists.
>>> Cheers,
>>> Matthias Wallnöfer

>> Cheers,
>> Steve
> Hi Matthias, Steve
> I have run some tests on Version 4.0.0alpha21-GIT-afa1d22 and noticed
> the problem too. Below is a test case scenario that i have used:

Hi everyone

Thanks Lukasz for the tests.

Just to add that that we can also trace this behaviour via getent. If 
the group has objectClass: posixGroup set, then we can observe that a 
group member with primaryGroupID set to that group still appears in 
getent group (he shouldn't) until samba-tool dbcheck --fix is applied.

We are mapping uid/gid via the (very nice) new nss-pam-ldapd.


More information about the samba-technical mailing list