Samba4 primaryGroupID problem

Matthias Dieter Wallnöfer mdw at samba.org
Thu May 3 09:36:52 MDT 2012 

Hi Lukasz, Steve,

this looks like an issue related to the linked attributes modules. They 
seem to not remove the orphaned "memberOf" attributes correctly. The 
samldb module (which handles the "primaryGroupID" semantics) works only 
on the base of the "member" attributes since the "memberOf" ones should 
always track them. That means: 1.) change "primaryGroupID", 2.) remove 
"member" attribute in new primary group, 3.) add "member" attribute in 
old primary group.
Andrew, could you enlighten us on what needs to be done here? Lukasz, 
Steve, it would be useful if you could post your domain/forest function 
levels (which in fact design the precise linked attributes behaviour).

Cheers,
Matthias

Lukasz Zalewski schrieb:
> Hi Matthias, Steve
> I have run some tests on Version 4.0.0alpha21-GIT-afa1d22 and noticed 
> the problem too. Below is a test case scenario that i have used:
>
> ./samba-tool user add bar --random-password --userou='OU=Domain Users' 
> -H ldap://myS4dc -k yes -U Administrator
> User 'bar' created successfully
> ./samba-tool dbcheck
> Checking 343 objects
> Checked 343 objects (0 errors)
>
> ./samba-tool group add bargroup --groupou='OU=Domain Groups' -H 
> ldap://myS4dc -k yes -U Administrator
> Added group bargroup
> ./samba-tool dbcheck
> Checking 344 objects
> Checked 344 objects (0 errors)
>
> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bar)' primaryGroupID memberOf
> # record 1
> dn: CN=bar,OU=Domain Users,DC=X
> primaryGroupID: 513
>
> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bargroup)' member objectSid
> # record 1
> dn: CN=bargroup,OU=Domain Groups,DC=X
> objectSid: S-1-5-21-2098455588-1089388874-3731015120-1135
>
> ./samba-tool group addmembers bargroup bar -H ldap://myS4dc -k yes -U 
> Administrator
> Added members to group bargroup
> ./samba-tool dbcheck
> Checking 344 objects
> Checked 344 objects (0 errors)
>
> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bargroup)' member objectSid
> # record 1
> dn: CN=bargroup,OU=Domain Groups,DC=X
> objectSid: S-1-5-21-2098455588-1089388874-3731015120-1135
> member: CN=bar,OU=Domain Users,DC=X
>
> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bar)' primaryGroupID memberOf
> # record 1
> dn: CN=bar,OU=Domain Users,DC=X
> primaryGroupID: 513
> memberOf: CN=bargroup,OU=Domain Groups,DC=X
>
> ./ldbedit -H ldap://myS4dc -k yes '(CN=bar)'
> Changed primaryGroupID to 1131 (RID of bargroup)
> # 0 adds  1 modifies  0 delete
>
> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bar)' primaryGroupID memberOf
> # record 1
> dn: CN=bar,OU=Domain Users,DC=X
> memberOf: CN=Domain Users,CN=Users,DC=X
> primaryGroupID: 1135
>
> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bargroup)' member objectSid
> # record 1
> dn: CN=bargroup,OU=Domain Groups,DC=X
> objectSid: S-1-5-21-2098455588-1089388874-3731015120-1135
>
> But
> ./samba-tool dbcheck
> Checking 344 objects
> ERROR: orphaned backlink attribute 'memberOf' in CN=bar,OU=Domain 
> Users,DC=X for link member in CN=Domain Users,CN=Users,DC=X
> Not removing orphaned backlink member
> ERROR: incorrect DN string component for member in object CN=Domain 
> Users,CN=Users,DC=X - 
> <GUID=762c38c2-f7c7-4915-87f0-bf189abb553e>;CN=bar,OU=Domain Users,DC=X
> Not fixing incorrect string version of DN
> ./samba-tool dbcheck --fix
> ./samba-tool dbcheck
> Checking 344 objects
> Checked 344 objects (0 errors)
>
>
> ./ldbedit -H ldap://myS4dc -k yes '(CN=bar)'
> Changed primaryGroupID to 513 (RID of Domain Users)
> # 0 adds  1 modifies  0 deletes
>
> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bar)' primaryGroupID memberOf
> # record 1
> dn: CN=bar,OU=Domain Users,DC=X
> memberOf: CN=bargroup,OU=Domain Groups,DC=X
> primaryGroupID: 513
>
> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bargroup)' member objectSid
> # record 1
> dn: CN=bargroup,OU=Domain Groups,DC=X
> objectSid: S-1-5-21-2098455588-1089388874-3731015120-1135
> member: CN=bar,OU=Domain Users,DC=X
>
> But again:
> ./samba-tool dbcheck
> Checking 344 objects
> ERROR: orphaned backlink attribute 'memberOf' in CN=bar,OU=Domain 
> Users,DC=X for link member in CN=bargroup,OU=Domain Groups,DC=X
> Not removing orphaned backlink member
> ERROR: incorrect DN string component for member in object 
> CN=bargroup,OU=Domain Groups,DC=X - 
> <GUID=762c38c2-f7c7-4915-87f0-bf189abb553e>;CN=bar,OU=Domain Users,DC=X
> Not fixing incorrect string version of DN
>
>
> So it seems that the corruption happens when the primaryGroupID is 
> changed (although visually inspecting the attributes does not indicate 
> the problem, i.e. member/memberOf and primaryGroupID are 
> modified/removed correctly)
>
> I have tested this using operations directly on sam.ldb (using
> -H /usr/local/samba/private/sam.ldb) and also using AD Users and 
> Computers and the problem happens exactly in the same place (when the 
> primaryGroupID is changed)
>
> HTH
>
> L

More information about the samba-technical mailing list