[Samba] BUG : ldif "dn" prefixes case sensitivity (and primaryGroupID module)

Rowland Penny rowlandpenny at googlemail.com
Sat Oct 11 12:21:11 MDT 2014 

On 11/10/14 17:54, steve wrote:
> On 11/10/14 17:38, Rowland Penny wrote:
>> On 11/10/14 16:25, steve wrote:
>>> On 11/10/14 09:54, Prunk Dump wrote:
>>>> 2014-10-09 10:07 GMT+02:00 Rowland Penny 
>>>> <rowlandpenny at googlemail.com>:
>>>>> On 09/10/14 06:45, Prunk Dump wrote:
>>>>>>
>>>>>> 2014-10-08 19:14 GMT+02:00 Rowland Penny
>>>>>> <rowlandpenny at googlemail.com>:
>>>>>>>
>>>>>>> On 08/10/14 16:45, Prunk Dump wrote:
>>>>>>>>
>>>>>>>> Hi samba team !
>>>>>>>>
>>>>>>>> I have found a very strange bug when changing my user's
>>>>>>>> primaryGroupID
>>>>>>>> with ldif files. The bug is very easy to reproduce :
>>>>>>>>
>>>>>>>> 1) Create a user, create a group, add the user to the group
>>>>>>>> -------------------------------
>>>>>>>> ~# samba-tool user add stduser
>>>>>>>> User 'stduser' created successfully
>>>>>>>>
>>>>>>>> ~# samba-tool group add stdgroup
>>>>>>>> Added group stdgroup
>>>>>>>>
>>>>>>>> ~# samba-tool group addmembers stdgroup stduser
>>>>>>>> Added members to group stdgroup
>>>>>>>> -------------------------------
>>>>>>>>
>>>>>>>> 2) Get the group sid, and change the user's primaryGroupID with
>>>>>>>> the dn
>>>>>>>> prefixes in lower case :
>>>>>>>> -------------------------------
>>>>>>>> ~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=stduser)' cn
>>>>>>>> primaryGroupID memberOf
>>>>>>>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>>>>>>> cn: stduser
>>>>>>>> primaryGroupID: 513
>>>>>>>> memberOf: CN=stdgroup,CN=Users,DC=my,DC=example,DC=com
>>>>>>>>
>>>>>>>> ~# wbinfo --name-to-sid=stdgroup
>>>>>>>> S-1-5-21-1691533938-518786298-626738373-3385 SID_DOM_GROUP (2)
>>>>>>>>
>>>>>>>> ~# cat /tmp/chggrp.ldif
>>>>>>>> dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
>>>>>>>> changetype: modify
>>>>>>>> replace: primarygroupid
>>>>>>>> primarygroupid: 3385
>>>>>>>>
>>>>>>>> ~# ldbmodify --url=/usr/local/samba/private/sam.ldb 
>>>>>>>> /tmp/chggrp.ldif
>>>>>>>> Modified 1 records successfully
>>>>>>>> -------------------------------
>>>>>>>>
>>>>>>>> 3) Now it's impossible to remove the user from the "Domain Users"
>>>>>>>> group ! And there are errors in the ldb base !
>>>>>>>> The group membership is one time written with lower case prefixes
>>>>>>>> and
>>>>>>>> one time with upper case prefixes :
>>>>>>>> -------------------------------
>>>>>>>> ~# samba-tool group removemembers "Domain Users" stduser
>>>>>>>> Removed members from group Domain Users
>>>>>>>>
>>>>>>>> ~# samba-tool group listmembers "Domain Users" | grep stduser
>>>>>>>> stduser
>>>>>>>>
>>>>>>>> ~# samba-tool dbcheck | grep stduser
>>>>>>>> ERROR: incorrect DN string component for member in object 
>>>>>>>> CN=Domain
>>>>>>>> Users,CN=Users,DC=my,DC=example,DC=com -
>>>>>>>>
>>>>>>>>
>>>>>>>> <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com 
>>>>>>>>
>>>>>>>>
>>>>>>>> ERROR: orphaned backlink attribute 'memberOf' in
>>>>>>>> CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in
>>>>>>>> CN=Domain Users,CN=Users,DC=my,DC=example,DC=com
>>>>>>>> -------------------------------
>>>>>>>>
>>>>>>>> !! If the dn prefixes are written in upper case like below, there
>>>>>>>> are
>>>>>>>> no problems !!
>>>>>>>> -------------------------------
>>>>>>>> ~# cat /tmp/chggrp2.ldif
>>>>>>>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>>>>>>> changetype: modify
>>>>>>>> replace: primarygroupid
>>>>>>>> primarygroupid: 3385
>>>>>>>> -------------------------------
>>>>>>>>
>>>>>>>> The problem occur when the primaryGroupID is changed and when the
>>>>>>>> "memberOf" attribute need to be added. The case is not checked.
>>>>>>>>
>>>>>>>> Thanks !
>>>>>>>
>>>>>>> Hi, why are you trying to remove a user from Domain Users ? I 
>>>>>>> take it
>>>>>>> that
>>>>>>> you don't want them to access the network etc. If you examine
>>>>>>> **any** AD
>>>>>>> user, you will not find a 'memberOf' attribute pointing to 'Domain
>>>>>>> Users',
>>>>>>> also you do not add or remove the 'memberOf' attribute, AD does
>>>>>>> this for
>>>>>>> you
>>>>>>> when you add/remove a user to/from a group.
>>>>>>>
>>>>>>> You can change a users primarygroupid, but there is little point
>>>>>>> to this
>>>>>>> and
>>>>>>> it entails a lot of hassle, I would suggest doing what most people
>>>>>>> do,
>>>>>>> create a group, add the user to this group and then use ACL's to
>>>>>>> restrict
>>>>>>> access to members of this group on any shares etc.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>>>> Thank you for the help !
>>>>>>
>>>>>> I come from the Linux world and I'm not very experienced in the AD
>>>>>> practices. I did not know that changing the primary group in Windows
>>>>>> AD was so marginal.
>>>>>
>>>>>
>>>>> It is not recommended to remove a user from the domain Users group,
>>>>> but you
>>>>> can change the primarygroupid but most people don't bother, see here
>>>>> for why
>>>>> (note it talks about removing the Domain Users group, but the
>>>>> reasoning is
>>>>> the same):
>>>>>
>>>>> http://social.technet.microsoft.com/Forums/windowsserver/en-US/69bbe556-b694-44dc-9a5e-2d53171073d0/are-there-any-issues-with-removing-the-domain-users-group-from-the-local-users-group-on-windows?forum=winserversecurity 
>>>>>
>>>>>
>>>>>
>>>>> You also seem to be falling into the trap of thinking that 
>>>>> changing the
>>>>> primarygroupid will affect linux, it won't, your users primary unix
>>>>> group
>>>>> comes from the 'gidNumber' attribute.
>>>>>
>>>>>>
>>>>>> I use Samba4 mainly to manage Linux clients where the primary group
>>>>>> (gid) concept is fundamental. When I set the POSIX gid parameters 
>>>>>> for
>>>>>> my users I thought that I need to change the windows primaryGroupID
>>>>>> for database consistency. But it seems that winbind does not need
>>>>>> this.
>>>>>>
>>>>>> The example above is just for demonstrate the bug. I don't want to
>>>>>> remove my user from the "Domain Users" group. I encounter the 
>>>>>> problem
>>>>>> when I want to change the user's primary group from GroupA to 
>>>>>> GroupB.
>>>>>> After that, as the database is corrupted, I can't remove the user of
>>>>>> GroupA.
>>>>>
>>>>>
>>>>> In my opinion (for what is worth), the bug is that you can actually
>>>>> remove a
>>>>> user from Domain Users with samba-tool.
>>>>>
>>>>>>
>>>>>> I will correct my scripts so that the primaryGroupID is not changed.
>>>>>> But the bug remain in samba4.
>>>>>>
>>>>>> Do you think that I need to do a bug report ? Or this situation 
>>>>>> is too
>>>>>> marginal ?
>>>>>>
>>>>>> Thank again and excuse my English.
>>>>>
>>>>> Your English is pretty good, so don't worry.
>>>>>
>>>>> Rowland
>>>>>>
>>>>>> Baptiste.
>>>>>
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>>
>>>>
>>>> Hello,
>>>>
>>>> Sadly, after some experimentations, things are not as simple as they
>>>> seem ...
>>>>
>>>> 2014-10-09 10:07 GMT+02:00 Rowland Penny 
>>>> <rowlandpenny at googlemail.com>:
>>>>> You also seem to be falling into the trap of thinking that 
>>>>> changing the
>>>>> primarygroupid will affect linux, it won't, your users primary unix
>>>>> group
>>>>> comes from the 'gidNumber' attribute.
>>>>
>>>> On my linux clients a use winbind to make the pam ( authentication )
>>>> and nss (name <-> id mapping) job. And winbind always use the
>>>> primaryGroupID to set the unix gid (it take the primaryGroupID -> get
>>>> the corresponding group -> get the group gid). I can't find any option
>>>> to make winbind use the "gidNumber" attribute instead of
>>>> "primaryGroupID". So I have to change the primaryGroupID of my users
>>>> otherwise they have not the correct gid number.
>>>>
>>>> 2014-10-09 10:07 GMT+02:00 Rowland Penny 
>>>> <rowlandpenny at googlemail.com>:
>>>>> In my opinion (for what is worth), the bug is that you can actually
>>>>> remove a
>>>>> user from Domain Users with samba-tool.
>>>>
>>>> I can now confirm that the bug come trom a bad case checking when
>>>> changing the primary group ID. ldbmodify accept dn with lower case
>>>> prefixes :
>>>>
>>>> dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
>>>>
>>>> or upper case prefixes :
>>>>
>>>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>>>
>>>> Bug if I change the primary group ID of a user using lower case
>>>> prefixes, it corrupt the ldb database. I have made a bug report :
>>>>
>>>> https://bugzilla.samba.org/show_bug.cgi?id=10863
>>>>
>>>> Thank you very much for your help. Finally I will check the case of
>>>> all the ldif files generated by my scripts.
>>>>
>>>> Baptiste.
>>>>
>>>
>>> Hi
>>> Sorry to come in late. The sequence of events is important so that the
>>> schema doesn't get confused:
>>> create new group
>>> assign gidNumber to new group
>>> create new user
>>> add new user to new group
>>> remove user from Domain\ Users
>>> change the new user's primaryGroupID to the RID of the new group
>>> add the user back to Domain\ Users
>>> HTH,
>>> Steve
>>>
>>>   * ShareThis <javascript:void(0)>
>>>
>>> b
>> Hi Steve, apart from not having to remove/add the user to/from Domain
>> Users, that is the order to do it.
>>
>> Rowland
>>
> Hi Rowland
> If we don't, we get 'Unwilling to perform', but we're using ldifs. And 
> it's 4.1.7. I wonder if this is a timing issue? I mean, if we put some 
> sleep() to the script before we do the ldbmodify(ies). Can't test ATM:)
> Cheers,
> Steve
>
Hi Steve, If I have a user that has the primarygroupid of '513' and use 
my script, it gets changed to the RID of whatever group I choose. This 
is provided that the group already has a gidNumber.

This is how my script works:

ldbchangePrimaryGroupID <username> <groupname>

Checks if user exists in AD
Check if group exists in AD and also has a gidNumber
Get the groups RID
Checks the users primaryGroupID isn't already set to the groups RID
If user isn't already a member of group then add user to group via an 
ldif and ldbmodify
Now change the users primarygroupid via an ldif and ldbmodify

Have you noticed what else happens when you do this ?

Rowland

More information about the samba mailing list