[Samba] BUG : ldif "dn" prefixes case sensitivity (and primaryGroupID module)

steve steve at steve-ss.com
Sun Oct 12 05:18:49 MDT 2014 

On 12/10/14 12:50, Prunk Dump wrote:
> 2014-10-12 9:45 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>> On 12/10/14 05:35, steve wrote:
>>>
>>> On 11/10/14 20:21, Rowland Penny wrote:
>>>>
>>>> On 11/10/14 17:54, steve wrote:
>>>>>
>>>>> On 11/10/14 17:38, Rowland Penny wrote:
>>>>>>
>>>>>> On 11/10/14 16:25, steve wrote:
>>>>>>>
>>>>>>> On 11/10/14 09:54, Prunk Dump wrote:
>>>>>>>>
>>>>>>>> 2014-10-09 10:07 GMT+02:00 Rowland Penny
>>>>>>>> <rowlandpenny at googlemail.com>:
>>>>>>>>>
>>>>>>>>> On 09/10/14 06:45, Prunk Dump wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2014-10-08 19:14 GMT+02:00 Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com>:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 08/10/14 16:45, Prunk Dump wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Hi samba team !
>>>>>>>>>>>>
>>>>>>>>>>>> I have found a very strange bug when changing my user's
>>>>>>>>>>>> primaryGroupID
>>>>>>>>>>>> with ldif files. The bug is very easy to reproduce :
>>>>>>>>>>>>
>>>>>>>>>>>> 1) Create a user, create a group, add the user to the group
>>>>>>>>>>>> -------------------------------
>>>>>>>>>>>> ~# samba-tool user add stduser
>>>>>>>>>>>> User 'stduser' created successfully
>>>>>>>>>>>>
>>>>>>>>>>>> ~# samba-tool group add stdgroup
>>>>>>>>>>>> Added group stdgroup
>>>>>>>>>>>>
>>>>>>>>>>>> ~# samba-tool group addmembers stdgroup stduser
>>>>>>>>>>>> Added members to group stdgroup
>>>>>>>>>>>> -------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>> 2) Get the group sid, and change the user's primaryGroupID with
>>>>>>>>>>>> the dn
>>>>>>>>>>>> prefixes in lower case :
>>>>>>>>>>>> -------------------------------
>>>>>>>>>>>> ~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=stduser)'
>>>>>>>>>>>> cn
>>>>>>>>>>>> primaryGroupID memberOf
>>>>>>>>>>>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>>>>>>>>>>> cn: stduser
>>>>>>>>>>>> primaryGroupID: 513
>>>>>>>>>>>> memberOf: CN=stdgroup,CN=Users,DC=my,DC=example,DC=com
>>>>>>>>>>>>
>>>>>>>>>>>> ~# wbinfo --name-to-sid=stdgroup
>>>>>>>>>>>> S-1-5-21-1691533938-518786298-626738373-3385 SID_DOM_GROUP (2)
>>>>>>>>>>>>
>>>>>>>>>>>> ~# cat /tmp/chggrp.ldif
>>>>>>>>>>>> dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
>>>>>>>>>>>> changetype: modify
>>>>>>>>>>>> replace: primarygroupid
>>>>>>>>>>>> primarygroupid: 3385
>>>>>>>>>>>>
>>>>>>>>>>>> ~# ldbmodify --url=/usr/local/samba/private/sam.ldb
>>>>>>>>>>>> /tmp/chggrp.ldif
>>>>>>>>>>>> Modified 1 records successfully
>>>>>>>>>>>> -------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>> 3) Now it's impossible to remove the user from the "Domain Users"
>>>>>>>>>>>> group ! And there are errors in the ldb base !
>>>>>>>>>>>> The group membership is one time written with lower case prefixes
>>>>>>>>>>>> and
>>>>>>>>>>>> one time with upper case prefixes :
>>>>>>>>>>>> -------------------------------
>>>>>>>>>>>> ~# samba-tool group removemembers "Domain Users" stduser
>>>>>>>>>>>> Removed members from group Domain Users
>>>>>>>>>>>>
>>>>>>>>>>>> ~# samba-tool group listmembers "Domain Users" | grep stduser
>>>>>>>>>>>> stduser
>>>>>>>>>>>>
>>>>>>>>>>>> ~# samba-tool dbcheck | grep stduser
>>>>>>>>>>>> ERROR: incorrect DN string component for member in object
>>>>>>>>>>>> CN=Domain
>>>>>>>>>>>> Users,CN=Users,DC=my,DC=example,DC=com -
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ERROR: orphaned backlink attribute 'memberOf' in
>>>>>>>>>>>> CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in
>>>>>>>>>>>> CN=Domain Users,CN=Users,DC=my,DC=example,DC=com
>>>>>>>>>>>> -------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>> !! If the dn prefixes are written in upper case like below, there
>>>>>>>>>>>> are
>>>>>>>>>>>> no problems !!
>>>>>>>>>>>> -------------------------------
>>>>>>>>>>>> ~# cat /tmp/chggrp2.ldif
>>>>>>>>>>>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>>>>>>>>>>> changetype: modify
>>>>>>>>>>>> replace: primarygroupid
>>>>>>>>>>>> primarygroupid: 3385
>>>>>>>>>>>> -------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>> The problem occur when the primaryGroupID is changed and when the
>>>>>>>>>>>> "memberOf" attribute need to be added. The case is not checked.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks !
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hi, why are you trying to remove a user from Domain Users ? I
>>>>>>>>>>> take it
>>>>>>>>>>> that
>>>>>>>>>>> you don't want them to access the network etc. If you examine
>>>>>>>>>>> **any** AD
>>>>>>>>>>> user, you will not find a 'memberOf' attribute pointing to 'Domain
>>>>>>>>>>> Users',
>>>>>>>>>>> also you do not add or remove the 'memberOf' attribute, AD does
>>>>>>>>>>> this for
>>>>>>>>>>> you
>>>>>>>>>>> when you add/remove a user to/from a group.
>>>>>>>>>>>
>>>>>>>>>>> You can change a users primarygroupid, but there is little point
>>>>>>>>>>> to this
>>>>>>>>>>> and
>>>>>>>>>>> it entails a lot of hassle, I would suggest doing what most people
>>>>>>>>>>> do,
>>>>>>>>>>> create a group, add the user to this group and then use ACL's to
>>>>>>>>>>> restrict
>>>>>>>>>>> access to members of this group on any shares etc.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thank you for the help !
>>>>>>>>>>
>>>>>>>>>> I come from the Linux world and I'm not very experienced in the AD
>>>>>>>>>> practices. I did not know that changing the primary group in
>>>>>>>>>> Windows
>>>>>>>>>> AD was so marginal.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> It is not recommended to remove a user from the domain Users group,
>>>>>>>>> but you
>>>>>>>>> can change the primarygroupid but most people don't bother, see here
>>>>>>>>> for why
>>>>>>>>> (note it talks about removing the Domain Users group, but the
>>>>>>>>> reasoning is
>>>>>>>>> the same):
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://social.technet.microsoft.com/Forums/windowsserver/en-US/69bbe556-b694-44dc-9a5e-2d53171073d0/are-there-any-issues-with-removing-the-domain-users-group-from-the-local-users-group-on-windows?forum=winserversecurity
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> You also seem to be falling into the trap of thinking that
>>>>>>>>> changing the
>>>>>>>>> primarygroupid will affect linux, it won't, your users primary unix
>>>>>>>>> group
>>>>>>>>> comes from the 'gidNumber' attribute.
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I use Samba4 mainly to manage Linux clients where the primary group
>>>>>>>>>> (gid) concept is fundamental. When I set the POSIX gid parameters
>>>>>>>>>> for
>>>>>>>>>> my users I thought that I need to change the windows primaryGroupID
>>>>>>>>>> for database consistency. But it seems that winbind does not need
>>>>>>>>>> this.
>>>>>>>>>>
>>>>>>>>>> The example above is just for demonstrate the bug. I don't want to
>>>>>>>>>> remove my user from the "Domain Users" group. I encounter the
>>>>>>>>>> problem
>>>>>>>>>> when I want to change the user's primary group from GroupA to
>>>>>>>>>> GroupB.
>>>>>>>>>> After that, as the database is corrupted, I can't remove the user
>>>>>>>>>> of
>>>>>>>>>> GroupA.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> In my opinion (for what is worth), the bug is that you can actually
>>>>>>>>> remove a
>>>>>>>>> user from Domain Users with samba-tool.
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I will correct my scripts so that the primaryGroupID is not
>>>>>>>>>> changed.
>>>>>>>>>> But the bug remain in samba4.
>>>>>>>>>>
>>>>>>>>>> Do you think that I need to do a bug report ? Or this situation
>>>>>>>>>> is too
>>>>>>>>>> marginal ?
>>>>>>>>>>
>>>>>>>>>> Thank again and excuse my English.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Your English is pretty good, so don't worry.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Baptiste.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> Sadly, after some experimentations, things are not as simple as they
>>>>>>>> seem ...
>>>>>>>>
>>>>>>>> 2014-10-09 10:07 GMT+02:00 Rowland Penny
>>>>>>>> <rowlandpenny at googlemail.com>:
>>>>>>>>>
>>>>>>>>> You also seem to be falling into the trap of thinking that
>>>>>>>>> changing the
>>>>>>>>> primarygroupid will affect linux, it won't, your users primary unix
>>>>>>>>> group
>>>>>>>>> comes from the 'gidNumber' attribute.
>>>>>>>>
>>>>>>>>
>>>>>>>> On my linux clients a use winbind to make the pam ( authentication )
>>>>>>>> and nss (name <-> id mapping) job. And winbind always use the
>>>>>>>> primaryGroupID to set the unix gid (it take the primaryGroupID -> get
>>>>>>>> the corresponding group -> get the group gid). I can't find any
>>>>>>>> option
>>>>>>>> to make winbind use the "gidNumber" attribute instead of
>>>>>>>> "primaryGroupID". So I have to change the primaryGroupID of my users
>>>>>>>> otherwise they have not the correct gid number.
>>>>>>>>
>>>>>>>> 2014-10-09 10:07 GMT+02:00 Rowland Penny
>>>>>>>> <rowlandpenny at googlemail.com>:
>>>>>>>>>
>>>>>>>>> In my opinion (for what is worth), the bug is that you can actually
>>>>>>>>> remove a
>>>>>>>>> user from Domain Users with samba-tool.
>>>>>>>>
>>>>>>>>
>>>>>>>> I can now confirm that the bug come trom a bad case checking when
>>>>>>>> changing the primary group ID. ldbmodify accept dn with lower case
>>>>>>>> prefixes :
>>>>>>>>
>>>>>>>> dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
>>>>>>>>
>>>>>>>> or upper case prefixes :
>>>>>>>>
>>>>>>>> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
>>>>>>>>
>>>>>>>> Bug if I change the primary group ID of a user using lower case
>>>>>>>> prefixes, it corrupt the ldb database. I have made a bug report :
>>>>>>>>
>>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=10863
>>>>>>>>
>>>>>>>> Thank you very much for your help. Finally I will check the case of
>>>>>>>> all the ldif files generated by my scripts.
>>>>>>>>
>>>>>>>> Baptiste.
>>>>>>>>
>>>>>>>
>>>>>>> Hi
>>>>>>> Sorry to come in late. The sequence of events is important so that the
>>>>>>> schema doesn't get confused:
>>>>>>> create new group
>>>>>>> assign gidNumber to new group
>>>>>>> create new user
>>>>>>> add new user to new group
>>>>>>> remove user from Domain\ Users
>>>>>>> change the new user's primaryGroupID to the RID of the new group
>>>>>>> add the user back to Domain\ Users
>>>>>>> HTH,
>>>>>>> Steve
>>>>>>>
>>>>>>>    * ShareThis <javascript:void(0)>
>>>>>>>
>>>>>>> b
>>>>>>
>>>>>> Hi Steve, apart from not having to remove/add the user to/from Domain
>>>>>> Users, that is the order to do it.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Hi Rowland
>>>>> If we don't, we get 'Unwilling to perform', but we're using ldifs. And
>>>>> it's 4.1.7. I wonder if this is a timing issue? I mean, if we put some
>>>>> sleep() to the script before we do the ldbmodify(ies). Can't test ATM:)
>>>>> Cheers,
>>>>> Steve
>>>>>
>>>> Hi Steve, If I have a user that has the primarygroupid of '513' and use
>>>> my script, it gets changed to the RID of whatever group I choose. This
>>>> is provided that the group already has a gidNumber.
>>>>
>>>> This is how my script works:
>>>>
>>>> ldbchangePrimaryGroupID <username> <groupname>
>>>>
>>>> Checks if user exists in AD
>>>> Check if group exists in AD and also has a gidNumber
>>>> Get the groups RID
>>>> Checks the users primaryGroupID isn't already set to the groups RID
>>>> If user isn't already a member of group then add user to group via an
>>>> ldif and ldbmodify
>>>> Now change the users primarygroupid via an ldif and ldbmodify
>>>>
>>>> Have you noticed what else happens when you do this ?
>>>>
>>>> Rowland
>>>>
>>>
>>> No, not noticed. Do tell us:) But still no. Maybe it's a 4.1.7 quirk but
>>> we have to remove the user from Domain\ Users first. Or, it's a timing and
>>> recovery issue. I know when we were testing the betas and rcs we had to
>>> sleep a lot before doing the next change on the dbs nd even longer before it
>>> percolated through to nss.
>>
>>
>> Ah, but that is what changes ;-)
>>
>> If you examine CN=Domain\ Users after you add a new user, the new user
>> doesn't show as being a member, but when you change the primarygroupid it
>> does, also the users membership of the new primarygroupid group is removed,
>> all of this is done automatically.
>>
>>>
>>> There's also a nasty spin-off for this in that the user's files have to
>>> have their ownership, and so acls changed. I'm wondering what use cases
>>> really make this worthwhile. We've implemented it because we've been told we
>>> have to have it. I'm glad we've never had to go live with it.
>>>
>>> Could the OP share his use case?
>>
>>
>> I personally cannot see what he is trying to achieve, I thought that the
>> easiest way to allow/deny access was via ACLs.
>>
>> Rowland
>>
>>> Cheers,
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> Hello,
>
> I use samba within a school. So the teachers are members of a
> "Teachers" group that is their primary group. Students are members of
> a "Students" group. And they are also members of a group that
> determine their class ("class_a", "class_b"...) which is their primary
> group. All the users are not removed from the "Domain Users" group !
>
> All the ACL's are set accordingly to there groups. Network shares are
> acceded through Kerberized NFS4. On file creation, the owner:group
> parameters are correctly set. Thus, it's easy for me to know if a file
> or a user belong from a teacher or a student by just checking the gid.
> And I can check from witch class the student come from.
>
> Everything works fine ! There is just a bug that can appear when I
> change the class of a student, for example from "class_a" to
> "class_b". I use the following procedure :
> - I add the student to "class_b" (the POSIX gidNumber entry is already
> set in "class_b" )
> - I change the student's primaryGroupID to the new group using LDIF
> - I remove the student from "class_a"
>
> During the primaryGroupID change, it's happen axactly what Rowland say :
> - Initially, the student have not the "MemberOf" entry for the
> "class_a". Because it is his primaryGroupID.
> - When changing the primaryGroupID, the "MemberOf" Attribute is added
> for "class_a", and removed for "class_b" has it become his
> primaryGroupID.
>
> The problem is that when samba add automatically the "member" and
> "MemberOf" entry of "class_a", it does not check the case in the LDIF.
> So if I write the ldif like this (3385 is the SID of class_b) :
>
> dn: cn=stdstudent,cn=Users,dc=my,dc=example,dc=com
> changetype: modify
> replace: primarygroupid
> primarygroupid: 3385
>
> I have this error in dbcheck :
>
> ERROR: incorrect DN string component for member in object
> CN=class_a,CN=Users,DC=my,DC=example,DC=com -
> <GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stdstudent,cn=Users,dc=my,dc=example,dc=com
> ERROR: orphaned backlink attribute 'memberOf' in
> CN=stdstudent,CN=Users,DC=my,DC=example,DC=com for link member in
> CN=class_a,CN=Users,DC=my,DC=example,DC=com
>
> You can see that the "member" attribute of the "class_a" group is in
> lower case instead of upper case in the "MemberOf" attribute of the
> user. And samba does not like it.
>
> If a write the ldif like this :
>
> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
> changetype: modify
> replace: primarygroupid
> primarygroupid: 3385
>
> It's works.
>
> I hope I'am clear. I reported a bug here :
> https://bugzilla.samba.org/show_bug.cgi?id=10863
>
> Thank you very much !
>
> Baptiste.
>
Hi
Yes, that maybe a bug, but we are at a loss as to why you are changing 
the primaryGroupID. Maybe you have Linux or Mac software in the domain 
which need this? Otherwise, I don't think it has relevance. Anyway, you 
have worked out a workaround:)
José

More information about the samba mailing list