cannot change primaryGroupID LDAP error 53 [solved]

steve steve at
Thu Apr 18 01:08:28 MDT 2013

On 04/17/2013 11:43 PM, David Mansfield wrote:
> On 04/17/2013 04:48 PM, steve wrote:
>> Version 4.0.6-GIT-4bebda4
>> Hi
>> When trying to change the primaryGroupID for a user using wither 
>> ldbmodify or ldbedit:
>> failed to modify CN=dummy,CN=Users,DC=hh3,DC=site - LDAP error 53 
>> LDAP_UNWILLING_TO_PERFORM -  <error in module samldb: Unwilling to 
>> perform (53)> <>
>> The last time I needed to do it was in alpha 18 hwen it worked OK.
>> Any ideas?
>> Cheers,
>> Steve
> I hit this too as I recall, and I'm doing the same as you (trying to 
> use a samba4 DC for a bunch of linux machines).  I based my perl 
> scripts on many of your old examples (thanks by the way!).
> I think the cause/fix was:
> A user is not a "member" of the primary group (same applies to 
> "memberOf"), but must be a "member" of all secondary groups, so 
> logically, if you want to change the primary group, you must manage 
> the "member" and "memberOf" attributes.  However, you should not do 
> this, because it will happen automatically.
> Ensure the user is a member of the soon-to-be primary group, then 
> modify with:
> dn: $userDn
> changetype: modify
> replace: primarygroupid
> primarygroupid: $newPrimaryGroupId
> (and of course, $newPrimaryGroupId is the RID of the group)
> and you'll see the "member" was updated automatically.
> Hope this help,
> David Mansfield
Thanks, that's better. The user has to be a member before you set 
primary. Also, you have to run dbcheck --fix all all afterwards.

More information about the samba-technical mailing list