[Samba] BUG : ldif "dn" prefixes case sensitivity (and primaryGroupID module)

Prunk Dump prunkdump at gmail.com
Wed Oct 8 09:45:29 MDT 2014 

Hi samba team !

I have found a very strange bug when changing my user's primaryGroupID
with ldif files. The bug is very easy to reproduce :

1) Create a user, create a group, add the user to the group
-------------------------------
~# samba-tool user add stduser
User 'stduser' created successfully

~# samba-tool group add stdgroup
Added group stdgroup

~# samba-tool group addmembers stdgroup stduser
Added members to group stdgroup
-------------------------------

2) Get the group sid, and change the user's primaryGroupID with the dn
prefixes in lower case :
-------------------------------
~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=stduser)' cn
primaryGroupID memberOf
dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
cn: stduser
primaryGroupID: 513
memberOf: CN=stdgroup,CN=Users,DC=my,DC=example,DC=com

~# wbinfo --name-to-sid=stdgroup
S-1-5-21-1691533938-518786298-626738373-3385 SID_DOM_GROUP (2)

~# cat /tmp/chggrp.ldif
dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
changetype: modify
replace: primarygroupid
primarygroupid: 3385

~# ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/chggrp.ldif
Modified 1 records successfully
-------------------------------

3) Now it's impossible to remove the user from the "Domain Users"
group ! And there are errors in the ldb base !
The group membership is one time written with lower case prefixes and
one time with upper case prefixes :
-------------------------------
~# samba-tool group removemembers "Domain Users" stduser
Removed members from group Domain Users

~# samba-tool group listmembers "Domain Users" | grep stduser
stduser

~# samba-tool dbcheck | grep stduser
ERROR: incorrect DN string component for member in object CN=Domain
Users,CN=Users,DC=my,DC=example,DC=com -
<GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com
ERROR: orphaned backlink attribute 'memberOf' in
CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in
CN=Domain Users,CN=Users,DC=my,DC=example,DC=com
-------------------------------

!! If the dn prefixes are written in upper case like below, there are
no problems !!
-------------------------------
~# cat /tmp/chggrp2.ldif
dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
changetype: modify
replace: primarygroupid
primarygroupid: 3385
-------------------------------

The problem occur when the primaryGroupID is changed and when the
"memberOf" attribute need to be added. The case is not checked.

Thanks !

More information about the samba mailing list