Samba4 primaryGroupID problem

Lukasz Zalewski lukas at eecs.qmul.ac.uk
Thu May 3 09:52:32 MDT 2012


Hi Matthias,
On 03/05/12 16:36, Matthias Dieter Wallnöfer wrote:
> Hi Lukasz, Steve,
>
> this looks like an issue related to the linked attributes modules. They
> seem to not remove the orphaned "memberOf" attributes correctly. The
> samldb module (which handles the "primaryGroupID" semantics) works only
> on the base of the "member" attributes since the "memberOf" ones should
> always track them. That means: 1.) change "primaryGroupID", 2.) remove
> "member" attribute in new primary group, 3.) add "member" attribute in
> old primary group.
> Andrew, could you enlighten us on what needs to be done here? Lukasz,
> Steve, it would be useful if you could post your domain/forest function
> levels (which in fact design the precise linked attributes behaviour).
./samba-tool domain level show
Domain and forest function level for domain 'DC=X'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

Its the only DC in the forest

>
> Cheers,
> Matthias

>
> Lukasz Zalewski schrieb:
>> Hi Matthias, Steve
>> I have run some tests on Version 4.0.0alpha21-GIT-afa1d22 and noticed
>> the problem too. Below is a test case scenario that i have used:
>>
>> ./samba-tool user add bar --random-password --userou='OU=Domain Users'
>> -H ldap://myS4dc -k yes -U Administrator
>> User 'bar' created successfully
>> ./samba-tool dbcheck
>> Checking 343 objects
>> Checked 343 objects (0 errors)
>>
>> ./samba-tool group add bargroup --groupou='OU=Domain Groups' -H
>> ldap://myS4dc -k yes -U Administrator
>> Added group bargroup
>> ./samba-tool dbcheck
>> Checking 344 objects
>> Checked 344 objects (0 errors)
>>
>> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bar)' primaryGroupID memberOf
>> # record 1
>> dn: CN=bar,OU=Domain Users,DC=X
>> primaryGroupID: 513
>>
>> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bargroup)' member objectSid
>> # record 1
>> dn: CN=bargroup,OU=Domain Groups,DC=X
>> objectSid: S-1-5-21-2098455588-1089388874-3731015120-1135
>>
>> ./samba-tool group addmembers bargroup bar -H ldap://myS4dc -k yes -U
>> Administrator
>> Added members to group bargroup
>> ./samba-tool dbcheck
>> Checking 344 objects
>> Checked 344 objects (0 errors)
>>
>> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bargroup)' member objectSid
>> # record 1
>> dn: CN=bargroup,OU=Domain Groups,DC=X
>> objectSid: S-1-5-21-2098455588-1089388874-3731015120-1135
>> member: CN=bar,OU=Domain Users,DC=X
>>
>> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bar)' primaryGroupID memberOf
>> # record 1
>> dn: CN=bar,OU=Domain Users,DC=X
>> primaryGroupID: 513
>> memberOf: CN=bargroup,OU=Domain Groups,DC=X
>>
>> ./ldbedit -H ldap://myS4dc -k yes '(CN=bar)'
>> Changed primaryGroupID to 1131 (RID of bargroup)
>> # 0 adds 1 modifies 0 delete
>>
>> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bar)' primaryGroupID memberOf
>> # record 1
>> dn: CN=bar,OU=Domain Users,DC=X
>> memberOf: CN=Domain Users,CN=Users,DC=X
>> primaryGroupID: 1135
>>
>> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bargroup)' member objectSid
>> # record 1
>> dn: CN=bargroup,OU=Domain Groups,DC=X
>> objectSid: S-1-5-21-2098455588-1089388874-3731015120-1135
>>
>> But
>> ./samba-tool dbcheck
>> Checking 344 objects
>> ERROR: orphaned backlink attribute 'memberOf' in CN=bar,OU=Domain
>> Users,DC=X for link member in CN=Domain Users,CN=Users,DC=X
>> Not removing orphaned backlink member
>> ERROR: incorrect DN string component for member in object CN=Domain
>> Users,CN=Users,DC=X -
>> <GUID=762c38c2-f7c7-4915-87f0-bf189abb553e>;CN=bar,OU=Domain Users,DC=X
>> Not fixing incorrect string version of DN
>> ./samba-tool dbcheck --fix
>> ./samba-tool dbcheck
>> Checking 344 objects
>> Checked 344 objects (0 errors)
>>
>>
>> ./ldbedit -H ldap://myS4dc -k yes '(CN=bar)'
>> Changed primaryGroupID to 513 (RID of Domain Users)
>> # 0 adds 1 modifies 0 deletes
>>
>> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bar)' primaryGroupID memberOf
>> # record 1
>> dn: CN=bar,OU=Domain Users,DC=X
>> memberOf: CN=bargroup,OU=Domain Groups,DC=X
>> primaryGroupID: 513
>>
>> ./ldbsearch -H ldap://myS4dc -k yes '(CN=bargroup)' member objectSid
>> # record 1
>> dn: CN=bargroup,OU=Domain Groups,DC=X
>> objectSid: S-1-5-21-2098455588-1089388874-3731015120-1135
>> member: CN=bar,OU=Domain Users,DC=X
>>
>> But again:
>> ./samba-tool dbcheck
>> Checking 344 objects
>> ERROR: orphaned backlink attribute 'memberOf' in CN=bar,OU=Domain
>> Users,DC=X for link member in CN=bargroup,OU=Domain Groups,DC=X
>> Not removing orphaned backlink member
>> ERROR: incorrect DN string component for member in object
>> CN=bargroup,OU=Domain Groups,DC=X -
>> <GUID=762c38c2-f7c7-4915-87f0-bf189abb553e>;CN=bar,OU=Domain Users,DC=X
>> Not fixing incorrect string version of DN
>>
>>
>> So it seems that the corruption happens when the primaryGroupID is
>> changed (although visually inspecting the attributes does not indicate
>> the problem, i.e. member/memberOf and primaryGroupID are
>> modified/removed correctly)
>>
>> I have tested this using operations directly on sam.ldb (using
>> -H /usr/local/samba/private/sam.ldb) and also using AD Users and
>> Computers and the problem happens exactly in the same place (when the
>> primaryGroupID is changed)
>>
>> HTH
>>
>> L
>



More information about the samba-technical mailing list