[Samba] BUG : ldif "dn" prefixes case sensitivity (and primaryGroupID module)

steve steve at steve-ss.com
Sat Oct 11 09:25:30 MDT 2014 

On 11/10/14 09:54, Prunk Dump wrote:
> 2014-10-09 10:07 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>> On 09/10/14 06:45, Prunk Dump wrote:
>>>
>>> 2014-10-08 19:14 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>>>>
>>>> On 08/10/14 16:45, Prunk Dump wrote:
>>>>>
>>>>> Hi samba team !
>>>>>
>>>>> I have found a very strange bug when changing my user's primaryGroupID
>>>>> with ldif files. The bug is very easy to reproduce :
>>>>>
>>>>> 1) Create a user, create a group, add the user to the group
>>>>> -------------------------------
>>>>> ~# samba-tool user add stduser
>>>>> User 'stduser' created successfully
>>>>>
>>>>> ~# samba-tool group add stdgroup
>>>>> Added group stdgroup
>>>>>
>>>>> ~# samba-tool group addmembers stdgroup stduser
>>>>> Added members to group stdgroup
>>>>> -------------------------------
>>>>>
>>>>> 2) Get the group sid, and change the user's primaryGroupID with the dn
>>>>> prefixes in lower case :
>>>>> -------------------------------
>>>>> ~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=stduser)' cn
>>>>> primaryGroupID memberOf
>>>>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>>>> cn: stduser
>>>>> primaryGroupID: 513
>>>>> memberOf: CN=stdgroup,CN=Users,DC=my,DC=example,DC=com
>>>>>
>>>>> ~# wbinfo --name-to-sid=stdgroup
>>>>> S-1-5-21-1691533938-518786298-626738373-3385 SID_DOM_GROUP (2)
>>>>>
>>>>> ~# cat /tmp/chggrp.ldif
>>>>> dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
>>>>> changetype: modify
>>>>> replace: primarygroupid
>>>>> primarygroupid: 3385
>>>>>
>>>>> ~# ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/chggrp.ldif
>>>>> Modified 1 records successfully
>>>>> -------------------------------
>>>>>
>>>>> 3) Now it's impossible to remove the user from the "Domain Users"
>>>>> group ! And there are errors in the ldb base !
>>>>> The group membership is one time written with lower case prefixes and
>>>>> one time with upper case prefixes :
>>>>> -------------------------------
>>>>> ~# samba-tool group removemembers "Domain Users" stduser
>>>>> Removed members from group Domain Users
>>>>>
>>>>> ~# samba-tool group listmembers "Domain Users" | grep stduser
>>>>> stduser
>>>>>
>>>>> ~# samba-tool dbcheck | grep stduser
>>>>> ERROR: incorrect DN string component for member in object CN=Domain
>>>>> Users,CN=Users,DC=my,DC=example,DC=com -
>>>>>
>>>>>
>>>>> <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com
>>>>> ERROR: orphaned backlink attribute 'memberOf' in
>>>>> CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in
>>>>> CN=Domain Users,CN=Users,DC=my,DC=example,DC=com
>>>>> -------------------------------
>>>>>
>>>>> !! If the dn prefixes are written in upper case like below, there are
>>>>> no problems !!
>>>>> -------------------------------
>>>>> ~# cat /tmp/chggrp2.ldif
>>>>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>>>> changetype: modify
>>>>> replace: primarygroupid
>>>>> primarygroupid: 3385
>>>>> -------------------------------
>>>>>
>>>>> The problem occur when the primaryGroupID is changed and when the
>>>>> "memberOf" attribute need to be added. The case is not checked.
>>>>>
>>>>> Thanks !
>>>>
>>>> Hi, why are you trying to remove a user from Domain Users ? I take it
>>>> that
>>>> you don't want them to access the network etc. If you examine **any** AD
>>>> user, you will not find a 'memberOf' attribute pointing to 'Domain
>>>> Users',
>>>> also you do not add or remove the 'memberOf' attribute, AD does this for
>>>> you
>>>> when you add/remove a user to/from a group.
>>>>
>>>> You can change a users primarygroupid, but there is little point to this
>>>> and
>>>> it entails a lot of hassle, I would suggest doing what most people do,
>>>> create a group, add the user to this group and then use ACL's to restrict
>>>> access to members of this group on any shares etc.
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>> Thank you for the help !
>>>
>>> I come from the Linux world and I'm not very experienced in the AD
>>> practices. I did not know that changing the primary group in Windows
>>> AD was so marginal.
>>
>>
>> It is not recommended to remove a user from the domain Users group, but you
>> can change the primarygroupid but most people don't bother, see here for why
>> (note it talks about removing the Domain Users group, but the reasoning is
>> the same):
>>
>> http://social.technet.microsoft.com/Forums/windowsserver/en-US/69bbe556-b694-44dc-9a5e-2d53171073d0/are-there-any-issues-with-removing-the-domain-users-group-from-the-local-users-group-on-windows?forum=winserversecurity
>>
>> You also seem to be falling into the trap of thinking that changing the
>> primarygroupid will affect linux, it won't, your users primary unix group
>> comes from the 'gidNumber' attribute.
>>
>>>
>>> I use Samba4 mainly to manage Linux clients where the primary group
>>> (gid) concept is fundamental. When I set the POSIX gid parameters for
>>> my users I thought that I need to change the windows primaryGroupID
>>> for database consistency. But it seems that winbind does not need
>>> this.
>>>
>>> The example above is just for demonstrate the bug. I don't want to
>>> remove my user from the "Domain Users" group. I encounter the problem
>>> when I want to change the user's primary group from GroupA to GroupB.
>>> After that, as the database is corrupted, I can't remove the user of
>>> GroupA.
>>
>>
>> In my opinion (for what is worth), the bug is that you can actually remove a
>> user from Domain Users with samba-tool.
>>
>>>
>>> I will correct my scripts so that the primaryGroupID is not changed.
>>> But the bug remain in samba4.
>>>
>>> Do you think that I need to do a bug report ? Or this situation is too
>>> marginal ?
>>>
>>> Thank again and excuse my English.
>>
>> Your English is pretty good, so don't worry.
>>
>> Rowland
>>>
>>> Baptiste.
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>
> Hello,
>
> Sadly, after some experimentations, things are not as simple as they seem ...
>
> 2014-10-09 10:07 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>> You also seem to be falling into the trap of thinking that changing the
>> primarygroupid will affect linux, it won't, your users primary unix group
>> comes from the 'gidNumber' attribute.
>
> On my linux clients a use winbind to make the pam ( authentication )
> and nss (name <-> id mapping) job. And winbind always use the
> primaryGroupID to set the unix gid (it take the primaryGroupID -> get
> the corresponding group -> get the group gid). I can't find any option
> to make winbind use the "gidNumber" attribute instead of
> "primaryGroupID". So I have to change the primaryGroupID of my users
> otherwise they have not the correct gid number.
>
> 2014-10-09 10:07 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>> In my opinion (for what is worth), the bug is that you can actually remove a
>> user from Domain Users with samba-tool.
>
> I can now confirm that the bug come trom a bad case checking when
> changing the primary group ID. ldbmodify accept dn with lower case
> prefixes :
>
> dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
>
> or upper case prefixes :
>
> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>
> Bug if I change the primary group ID of a user using lower case
> prefixes, it corrupt the ldb database. I have made a bug report :
>
> https://bugzilla.samba.org/show_bug.cgi?id=10863
>
> Thank you very much for your help. Finally I will check the case of
> all the ldif files generated by my scripts.
>
> Baptiste.
>

Hi
Sorry to come in late. The sequence of events is important so that the 
schema doesn't get confused:
create new group
assign gidNumber to new group
create new user
add new user to new group
remove user from Domain\ Users
change the new user's primaryGroupID to the RID of the new group
add the user back to Domain\ Users
HTH,
Steve

More information about the samba mailing list