[Samba] BUG : ldif "dn" prefixes case sensitivity (and primaryGroupID module)

Prunk Dump prunkdump at gmail.com
Sat Oct 11 01:54:03 MDT 2014 

2014-10-09 10:07 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> On 09/10/14 06:45, Prunk Dump wrote:
>>
>> 2014-10-08 19:14 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>>>
>>> On 08/10/14 16:45, Prunk Dump wrote:
>>>>
>>>> Hi samba team !
>>>>
>>>> I have found a very strange bug when changing my user's primaryGroupID
>>>> with ldif files. The bug is very easy to reproduce :
>>>>
>>>> 1) Create a user, create a group, add the user to the group
>>>> -------------------------------
>>>> ~# samba-tool user add stduser
>>>> User 'stduser' created successfully
>>>>
>>>> ~# samba-tool group add stdgroup
>>>> Added group stdgroup
>>>>
>>>> ~# samba-tool group addmembers stdgroup stduser
>>>> Added members to group stdgroup
>>>> -------------------------------
>>>>
>>>> 2) Get the group sid, and change the user's primaryGroupID with the dn
>>>> prefixes in lower case :
>>>> -------------------------------
>>>> ~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=stduser)' cn
>>>> primaryGroupID memberOf
>>>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>>> cn: stduser
>>>> primaryGroupID: 513
>>>> memberOf: CN=stdgroup,CN=Users,DC=my,DC=example,DC=com
>>>>
>>>> ~# wbinfo --name-to-sid=stdgroup
>>>> S-1-5-21-1691533938-518786298-626738373-3385 SID_DOM_GROUP (2)
>>>>
>>>> ~# cat /tmp/chggrp.ldif
>>>> dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
>>>> changetype: modify
>>>> replace: primarygroupid
>>>> primarygroupid: 3385
>>>>
>>>> ~# ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/chggrp.ldif
>>>> Modified 1 records successfully
>>>> -------------------------------
>>>>
>>>> 3) Now it's impossible to remove the user from the "Domain Users"
>>>> group ! And there are errors in the ldb base !
>>>> The group membership is one time written with lower case prefixes and
>>>> one time with upper case prefixes :
>>>> -------------------------------
>>>> ~# samba-tool group removemembers "Domain Users" stduser
>>>> Removed members from group Domain Users
>>>>
>>>> ~# samba-tool group listmembers "Domain Users" | grep stduser
>>>> stduser
>>>>
>>>> ~# samba-tool dbcheck | grep stduser
>>>> ERROR: incorrect DN string component for member in object CN=Domain
>>>> Users,CN=Users,DC=my,DC=example,DC=com -
>>>>
>>>>
>>>> <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com
>>>> ERROR: orphaned backlink attribute 'memberOf' in
>>>> CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in
>>>> CN=Domain Users,CN=Users,DC=my,DC=example,DC=com
>>>> -------------------------------
>>>>
>>>> !! If the dn prefixes are written in upper case like below, there are
>>>> no problems !!
>>>> -------------------------------
>>>> ~# cat /tmp/chggrp2.ldif
>>>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>>> changetype: modify
>>>> replace: primarygroupid
>>>> primarygroupid: 3385
>>>> -------------------------------
>>>>
>>>> The problem occur when the primaryGroupID is changed and when the
>>>> "memberOf" attribute need to be added. The case is not checked.
>>>>
>>>> Thanks !
>>>
>>> Hi, why are you trying to remove a user from Domain Users ? I take it
>>> that
>>> you don't want them to access the network etc. If you examine **any** AD
>>> user, you will not find a 'memberOf' attribute pointing to 'Domain
>>> Users',
>>> also you do not add or remove the 'memberOf' attribute, AD does this for
>>> you
>>> when you add/remove a user to/from a group.
>>>
>>> You can change a users primarygroupid, but there is little point to this
>>> and
>>> it entails a lot of hassle, I would suggest doing what most people do,
>>> create a group, add the user to this group and then use ACL's to restrict
>>> access to members of this group on any shares etc.
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>> Thank you for the help !
>>
>> I come from the Linux world and I'm not very experienced in the AD
>> practices. I did not know that changing the primary group in Windows
>> AD was so marginal.
>
>
> It is not recommended to remove a user from the domain Users group, but you
> can change the primarygroupid but most people don't bother, see here for why
> (note it talks about removing the Domain Users group, but the reasoning is
> the same):
>
> http://social.technet.microsoft.com/Forums/windowsserver/en-US/69bbe556-b694-44dc-9a5e-2d53171073d0/are-there-any-issues-with-removing-the-domain-users-group-from-the-local-users-group-on-windows?forum=winserversecurity
>
> You also seem to be falling into the trap of thinking that changing the
> primarygroupid will affect linux, it won't, your users primary unix group
> comes from the 'gidNumber' attribute.
>
>>
>> I use Samba4 mainly to manage Linux clients where the primary group
>> (gid) concept is fundamental. When I set the POSIX gid parameters for
>> my users I thought that I need to change the windows primaryGroupID
>> for database consistency. But it seems that winbind does not need
>> this.
>>
>> The example above is just for demonstrate the bug. I don't want to
>> remove my user from the "Domain Users" group. I encounter the problem
>> when I want to change the user's primary group from GroupA to GroupB.
>> After that, as the database is corrupted, I can't remove the user of
>> GroupA.
>
>
> In my opinion (for what is worth), the bug is that you can actually remove a
> user from Domain Users with samba-tool.
>
>>
>> I will correct my scripts so that the primaryGroupID is not changed.
>> But the bug remain in samba4.
>>
>> Do you think that I need to do a bug report ? Or this situation is too
>> marginal ?
>>
>> Thank again and excuse my English.
>
> Your English is pretty good, so don't worry.
>
> Rowland
>>
>> Baptiste.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba




Hello,

Sadly, after some experimentations, things are not as simple as they seem ...

2014-10-09 10:07 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> You also seem to be falling into the trap of thinking that changing the
> primarygroupid will affect linux, it won't, your users primary unix group
> comes from the 'gidNumber' attribute.

On my linux clients a use winbind to make the pam ( authentication )
and nss (name <-> id mapping) job. And winbind always use the
primaryGroupID to set the unix gid (it take the primaryGroupID -> get
the corresponding group -> get the group gid). I can't find any option
to make winbind use the "gidNumber" attribute instead of
"primaryGroupID". So I have to change the primaryGroupID of my users
otherwise they have not the correct gid number.

2014-10-09 10:07 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
> In my opinion (for what is worth), the bug is that you can actually remove a
> user from Domain Users with samba-tool.

I can now confirm that the bug come trom a bad case checking when
changing the primary group ID. ldbmodify accept dn with lower case
prefixes :

dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com

or upper case prefixes :

dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com

Bug if I change the primary group ID of a user using lower case
prefixes, it corrupt the ldb database. I have made a bug report :

https://bugzilla.samba.org/show_bug.cgi?id=10863

Thank you very much for your help. Finally I will check the case of
all the ldif files generated by my scripts.

Baptiste.

More information about the samba mailing list