[Samba] BUG : ldif "dn" prefixes case sensitivity (and primaryGroupID module)

Rowland Penny rowlandpenny at googlemail.com
Sat Oct 11 09:38:18 MDT 2014 

On 11/10/14 16:25, steve wrote:
> On 11/10/14 09:54, Prunk Dump wrote:
>> 2014-10-09 10:07 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>>> On 09/10/14 06:45, Prunk Dump wrote:
>>>>
>>>> 2014-10-08 19:14 GMT+02:00 Rowland Penny 
>>>> <rowlandpenny at googlemail.com>:
>>>>>
>>>>> On 08/10/14 16:45, Prunk Dump wrote:
>>>>>>
>>>>>> Hi samba team !
>>>>>>
>>>>>> I have found a very strange bug when changing my user's 
>>>>>> primaryGroupID
>>>>>> with ldif files. The bug is very easy to reproduce :
>>>>>>
>>>>>> 1) Create a user, create a group, add the user to the group
>>>>>> -------------------------------
>>>>>> ~# samba-tool user add stduser
>>>>>> User 'stduser' created successfully
>>>>>>
>>>>>> ~# samba-tool group add stdgroup
>>>>>> Added group stdgroup
>>>>>>
>>>>>> ~# samba-tool group addmembers stdgroup stduser
>>>>>> Added members to group stdgroup
>>>>>> -------------------------------
>>>>>>
>>>>>> 2) Get the group sid, and change the user's primaryGroupID with 
>>>>>> the dn
>>>>>> prefixes in lower case :
>>>>>> -------------------------------
>>>>>> ~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=stduser)' cn
>>>>>> primaryGroupID memberOf
>>>>>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>>>>> cn: stduser
>>>>>> primaryGroupID: 513
>>>>>> memberOf: CN=stdgroup,CN=Users,DC=my,DC=example,DC=com
>>>>>>
>>>>>> ~# wbinfo --name-to-sid=stdgroup
>>>>>> S-1-5-21-1691533938-518786298-626738373-3385 SID_DOM_GROUP (2)
>>>>>>
>>>>>> ~# cat /tmp/chggrp.ldif
>>>>>> dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
>>>>>> changetype: modify
>>>>>> replace: primarygroupid
>>>>>> primarygroupid: 3385
>>>>>>
>>>>>> ~# ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/chggrp.ldif
>>>>>> Modified 1 records successfully
>>>>>> -------------------------------
>>>>>>
>>>>>> 3) Now it's impossible to remove the user from the "Domain Users"
>>>>>> group ! And there are errors in the ldb base !
>>>>>> The group membership is one time written with lower case prefixes 
>>>>>> and
>>>>>> one time with upper case prefixes :
>>>>>> -------------------------------
>>>>>> ~# samba-tool group removemembers "Domain Users" stduser
>>>>>> Removed members from group Domain Users
>>>>>>
>>>>>> ~# samba-tool group listmembers "Domain Users" | grep stduser
>>>>>> stduser
>>>>>>
>>>>>> ~# samba-tool dbcheck | grep stduser
>>>>>> ERROR: incorrect DN string component for member in object CN=Domain
>>>>>> Users,CN=Users,DC=my,DC=example,DC=com -
>>>>>>
>>>>>>
>>>>>> <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com 
>>>>>>
>>>>>> ERROR: orphaned backlink attribute 'memberOf' in
>>>>>> CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in
>>>>>> CN=Domain Users,CN=Users,DC=my,DC=example,DC=com
>>>>>> -------------------------------
>>>>>>
>>>>>> !! If the dn prefixes are written in upper case like below, there 
>>>>>> are
>>>>>> no problems !!
>>>>>> -------------------------------
>>>>>> ~# cat /tmp/chggrp2.ldif
>>>>>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>>>>> changetype: modify
>>>>>> replace: primarygroupid
>>>>>> primarygroupid: 3385
>>>>>> -------------------------------
>>>>>>
>>>>>> The problem occur when the primaryGroupID is changed and when the
>>>>>> "memberOf" attribute need to be added. The case is not checked.
>>>>>>
>>>>>> Thanks !
>>>>>
>>>>> Hi, why are you trying to remove a user from Domain Users ? I take it
>>>>> that
>>>>> you don't want them to access the network etc. If you examine 
>>>>> **any** AD
>>>>> user, you will not find a 'memberOf' attribute pointing to 'Domain
>>>>> Users',
>>>>> also you do not add or remove the 'memberOf' attribute, AD does 
>>>>> this for
>>>>> you
>>>>> when you add/remove a user to/from a group.
>>>>>
>>>>> You can change a users primarygroupid, but there is little point 
>>>>> to this
>>>>> and
>>>>> it entails a lot of hassle, I would suggest doing what most people 
>>>>> do,
>>>>> create a group, add the user to this group and then use ACL's to 
>>>>> restrict
>>>>> access to members of this group on any shares etc.
>>>>>
>>>>> Rowland
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>> Thank you for the help !
>>>>
>>>> I come from the Linux world and I'm not very experienced in the AD
>>>> practices. I did not know that changing the primary group in Windows
>>>> AD was so marginal.
>>>
>>>
>>> It is not recommended to remove a user from the domain Users group, 
>>> but you
>>> can change the primarygroupid but most people don't bother, see here 
>>> for why
>>> (note it talks about removing the Domain Users group, but the 
>>> reasoning is
>>> the same):
>>>
>>> http://social.technet.microsoft.com/Forums/windowsserver/en-US/69bbe556-b694-44dc-9a5e-2d53171073d0/are-there-any-issues-with-removing-the-domain-users-group-from-the-local-users-group-on-windows?forum=winserversecurity 
>>>
>>>
>>> You also seem to be falling into the trap of thinking that changing the
>>> primarygroupid will affect linux, it won't, your users primary unix 
>>> group
>>> comes from the 'gidNumber' attribute.
>>>
>>>>
>>>> I use Samba4 mainly to manage Linux clients where the primary group
>>>> (gid) concept is fundamental. When I set the POSIX gid parameters for
>>>> my users I thought that I need to change the windows primaryGroupID
>>>> for database consistency. But it seems that winbind does not need
>>>> this.
>>>>
>>>> The example above is just for demonstrate the bug. I don't want to
>>>> remove my user from the "Domain Users" group. I encounter the problem
>>>> when I want to change the user's primary group from GroupA to GroupB.
>>>> After that, as the database is corrupted, I can't remove the user of
>>>> GroupA.
>>>
>>>
>>> In my opinion (for what is worth), the bug is that you can actually 
>>> remove a
>>> user from Domain Users with samba-tool.
>>>
>>>>
>>>> I will correct my scripts so that the primaryGroupID is not changed.
>>>> But the bug remain in samba4.
>>>>
>>>> Do you think that I need to do a bug report ? Or this situation is too
>>>> marginal ?
>>>>
>>>> Thank again and excuse my English.
>>>
>>> Your English is pretty good, so don't worry.
>>>
>>> Rowland
>>>>
>>>> Baptiste.
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>>
>>
>> Hello,
>>
>> Sadly, after some experimentations, things are not as simple as they 
>> seem ...
>>
>> 2014-10-09 10:07 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>>> You also seem to be falling into the trap of thinking that changing the
>>> primarygroupid will affect linux, it won't, your users primary unix 
>>> group
>>> comes from the 'gidNumber' attribute.
>>
>> On my linux clients a use winbind to make the pam ( authentication )
>> and nss (name <-> id mapping) job. And winbind always use the
>> primaryGroupID to set the unix gid (it take the primaryGroupID -> get
>> the corresponding group -> get the group gid). I can't find any option
>> to make winbind use the "gidNumber" attribute instead of
>> "primaryGroupID". So I have to change the primaryGroupID of my users
>> otherwise they have not the correct gid number.
>>
>> 2014-10-09 10:07 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>>> In my opinion (for what is worth), the bug is that you can actually 
>>> remove a
>>> user from Domain Users with samba-tool.
>>
>> I can now confirm that the bug come trom a bad case checking when
>> changing the primary group ID. ldbmodify accept dn with lower case
>> prefixes :
>>
>> dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
>>
>> or upper case prefixes :
>>
>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>
>> Bug if I change the primary group ID of a user using lower case
>> prefixes, it corrupt the ldb database. I have made a bug report :
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=10863
>>
>> Thank you very much for your help. Finally I will check the case of
>> all the ldif files generated by my scripts.
>>
>> Baptiste.
>>
>
> Hi
> Sorry to come in late. The sequence of events is important so that the 
> schema doesn't get confused:
> create new group
> assign gidNumber to new group
> create new user
> add new user to new group
> remove user from Domain\ Users
> change the new user's primaryGroupID to the RID of the new group
> add the user back to Domain\ Users
> HTH,
> Steve
>
>   * ShareThis <javascript:void(0)>
>
> b
Hi Steve, apart from not having to remove/add the user to/from Domain 
Users, that is the order to do it.

Rowland

More information about the samba mailing list