[Samba] BUG : ldif "dn" prefixes case sensitivity (and primaryGroupID module)

Prunk Dump prunkdump at gmail.com
Wed Oct 8 23:45:53 MDT 2014 

2014-10-08 19:14 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 08/10/14 16:45, Prunk Dump wrote:
>>
>> Hi samba team !
>>
>> I have found a very strange bug when changing my user's primaryGroupID
>> with ldif files. The bug is very easy to reproduce :
>>
>> 1) Create a user, create a group, add the user to the group
>> -------------------------------
>> ~# samba-tool user add stduser
>> User 'stduser' created successfully
>>
>> ~# samba-tool group add stdgroup
>> Added group stdgroup
>>
>> ~# samba-tool group addmembers stdgroup stduser
>> Added members to group stdgroup
>> -------------------------------
>>
>> 2) Get the group sid, and change the user's primaryGroupID with the dn
>> prefixes in lower case :
>> -------------------------------
>> ~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=stduser)' cn
>> primaryGroupID memberOf
>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>> cn: stduser
>> primaryGroupID: 513
>> memberOf: CN=stdgroup,CN=Users,DC=my,DC=example,DC=com
>>
>> ~# wbinfo --name-to-sid=stdgroup
>> S-1-5-21-1691533938-518786298-626738373-3385 SID_DOM_GROUP (2)
>>
>> ~# cat /tmp/chggrp.ldif
>> dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
>> changetype: modify
>> replace: primarygroupid
>> primarygroupid: 3385
>>
>> ~# ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/chggrp.ldif
>> Modified 1 records successfully
>> -------------------------------
>>
>> 3) Now it's impossible to remove the user from the "Domain Users"
>> group ! And there are errors in the ldb base !
>> The group membership is one time written with lower case prefixes and
>> one time with upper case prefixes :
>> -------------------------------
>> ~# samba-tool group removemembers "Domain Users" stduser
>> Removed members from group Domain Users
>>
>> ~# samba-tool group listmembers "Domain Users" | grep stduser
>> stduser
>>
>> ~# samba-tool dbcheck | grep stduser
>> ERROR: incorrect DN string component for member in object CN=Domain
>> Users,CN=Users,DC=my,DC=example,DC=com -
>>
>> <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com
>> ERROR: orphaned backlink attribute 'memberOf' in
>> CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in
>> CN=Domain Users,CN=Users,DC=my,DC=example,DC=com
>> -------------------------------
>>
>> !! If the dn prefixes are written in upper case like below, there are
>> no problems !!
>> -------------------------------
>> ~# cat /tmp/chggrp2.ldif
>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>> changetype: modify
>> replace: primarygroupid
>> primarygroupid: 3385
>> -------------------------------
>>
>> The problem occur when the primaryGroupID is changed and when the
>> "memberOf" attribute need to be added. The case is not checked.
>>
>> Thanks !
>
> Hi, why are you trying to remove a user from Domain Users ? I take it that
> you don't want them to access the network etc. If you examine **any** AD
> user, you will not find a 'memberOf' attribute pointing to 'Domain Users',
> also you do not add or remove the 'memberOf' attribute, AD does this for you
> when you add/remove a user to/from a group.
>
> You can change a users primarygroupid, but there is little point to this and
> it entails a lot of hassle, I would suggest doing what most people do,
> create a group, add the user to this group and then use ACL's to restrict
> access to members of this group on any shares etc.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


Thank you for the help !

I come from the Linux world and I'm not very experienced in the AD
practices. I did not know that changing the primary group in Windows
AD was so marginal.

I use Samba4 mainly to manage Linux clients where the primary group
(gid) concept is fundamental. When I set the POSIX gid parameters for
my users I thought that I need to change the windows primaryGroupID
for database consistency. But it seems that winbind does not need
this.

The example above is just for demonstrate the bug. I don't want to
remove my user from the "Domain Users" group. I encounter the problem
when I want to change the user's primary group from GroupA to GroupB.
After that, as the database is corrupted, I can't remove the user of
GroupA.

I will correct my scripts so that the primaryGroupID is not changed.
But the bug remain in samba4.

Do you think that I need to do a bug report ? Or this situation is too
marginal ?

Thank again and excuse my English.

Baptiste.

More information about the samba mailing list