[PATCH] samba-tool group addmembers
Alexander Bokovoy
ab at samba.org
Wed Jun 7 09:02:53 UTC 2017
On ke, 07 kesä 2017, Rowland Penny via samba-technical wrote:
>
> Hi, if you try to add a member to a group and the member exists as a
> sAMAccountName and a CN, you get this:
>
> root at dc1:~# samba-tool group addmembers group12 rowland
> ERROR(exception): Failed to add members "rowland" to group "group12"
> - Unable to find "rowland". Operation cancelled. File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/group.py",
> line 239, in run add_members_operation=True) File
> "/usr/local/samba/lib/python2.7/site-packages/samba/samdb.py", line
> 278, in add_remove_group_members raise Exception('Unable to find
> "%s". Operation cancelled.' % member)
>
> The user 'rowland' exists here:
>
> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> sAMAccountName: rowland
>
> and here:
>
> dn: CN=rowland,OU=SUDOers,DC=samdom,DC=example,DC=com
>
> The problem isn't that 'rowland' doesn't exist, it is that he exists
> more than once ;-)
>
> Another user had the same problem, but he created the users with
> '--use-username-as-cn'
>
> This patch fixed the problem for me and the other user, it just changes
> the search for the user to use only the sAMAccountName attribute.
>
> Rowland
> From 8191910cc59e045b94b3779b2b9cddca1b75c230 Mon Sep 17 00:00:00 2001
> From: Rowland Penny <rpenny at samba.org>
> Date: Wed, 7 Jun 2017 09:23:10 +0100
> Subject: [PATCH] samba-tool: You cannot add members to a group if the member
> exists as a sAMAccountName and a CN.
>
> Signed-off-by: Rowland Penny <rpenny at samba.org>
> ---
> python/samba/netcmd/group.py | 2 ++
> python/samba/samdb.py | 4 ++--
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/python/samba/netcmd/group.py b/python/samba/netcmd/group.py
> index 11f8773..b9d6add 100644
> --- a/python/samba/netcmd/group.py
> +++ b/python/samba/netcmd/group.py
> @@ -199,6 +199,8 @@ This command adds one or more members to an existing Active Directory group. The
>
> When a member is added to a group the member may inherit permissions and rights from the group. Likewise, when permission or rights of a group are changed, the changes may reflect in the members through inheritance.
>
> +The member names specified on the command must be the sAMaccountName.
> +
> Example1:
> samba-tool group addmembers supergroup Group1,Group2,User1 -H ldap://samba.samdom.example.com -Uadministrator%passw0rd
>
> diff --git a/python/samba/samdb.py b/python/samba/samdb.py
> index 19dd8e9..b4d6768 100644
> --- a/python/samba/samdb.py
> +++ b/python/samba/samdb.py
> @@ -267,8 +267,8 @@ changetype: modify
>
> for member in members:
> targetmember = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
> - expression="(|(sAMAccountName=%s)(CN=%s))" % (
> - ldb.binary_encode(member), ldb.binary_encode(member)), attrs=[])
> + expression="(sAMAccountName=%s)" % (
> + ldb.binary_encode(member)), attrs=[])
>
> if len(targetmember) != 1:
> raise Exception('Unable to find "%s". Operation cancelled.' % member)
> --
> 2.1.4
>
I think instead of removing CN=%s from the filter it would be better to
limit the search by objectclass filtering to 'objectclass=user'.
E.g. change expression into
expression="(&(|(sAMAccountName=%s)(CN=%s))(objectclass=user))" % ...
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list