Bug 53882 – memerOf in Samba 4 stops working

Bug 53882 - memerOf in Samba 4 stops working


Summary:	memerOf in Samba 4 stops working

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-10-07 15:59 CEST by Dirk Schnick
Modified:	2023-09-15 13:52 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.286
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2021091021000289, 2023091121000354
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Schnick

2021-10-07 15:59:00 CEST

A customer "lost" the memberOf attributes in samba after update to UCS 5.

A closer investigation showed that the attributes are still there but the group "Pre-Windows 2000 Compatible Access" that have right access to the attribute was empty.
In most test environments the foreign Security Principal S-1-5-11 (Authenticated Users) is attached there, but I also found a test environment that looked like the one of the customer.
It does not matter why that happen, the pain is very high and as we change the default acl:search=no to yes (UCR var samba/acl_search) with the update to UCS 5 this take effect with the update.

I think it would be a good idea to extend the pre checks to verify the group "Pre-Windows 2000 Compatible Access" is not empty and if so throw a message that must be confirmed.

Alternative or additional a test in diagnose module (with fix me) would be nice.

The windows standard is/was the foreign Security Principal "Authenticated Users" in the group "Pre-Windows 2000 Compatible Access" BUT the work around against printing nightmare was removing this!

Alternative to "Authenticated Users" the foreign Security Principal "ENTERPRISE_DOMAIN_CONTROLLERS" (S-1-5-9) should fix the visibility of memberOf for at least univention-s4search and within the most impacts.

Comment 1 Stefan Gohmann

2023-09-15 13:52:14 CEST

We had the same issue in a customer environment after running:
/usr/share/univention-ldap-overlay-memberof/univention-update-memberof

The problem is that the S4 Connector overwrites the group membership and removes the SID S-1-5-11 and the result is that memberOf doesn't work in Samba 4. The result was a failure to log in the applications.

Workaround:
ucr set connector/s4/mapping/group/ignorelist="$(ucr get connector/s4/mapping/group/ignorelist),Pre-Windows 2000 Compatible Access"
service univention-s4-connector restart


Steps to reproduce:

root@primary10:~# samba-tool group listmembers "Pre-Windows 2000 Compatible Access"
S-1-5-11
root@primary10:~# univention-ldapsearch cn="Pre-Windows 2000 Compatible Access" -LLL uniqueMember
dn: cn=Pre-Windows 2000 Compatible Access,cn=Builtin,dc=deadlock10,dc=intranet

root@primary10:~# univention-s4search cn=stefan memberOf 
# record 1
dn: CN=stefan,CN=Users,DC=deadlock10,DC=intranet
memberOf: CN=gp1,CN=Groups,DC=deadlock10,DC=intranet

# Referral
ref: ldaps://deadlock10.intranet/CN=Configuration,DC=deadlock10,DC=intranet

# Referral
ref: ldaps://deadlock10.intranet/DC=DomainDnsZones,DC=deadlock10,DC=intranet

# Referral
ref: ldaps://deadlock10.intranet/DC=ForestDnsZones,DC=deadlock10,DC=intranet

# returned 4 records
# 1 entries
# 3 referrals
root@primary10:~# udm groups/group modify --dn "cn=Pre-Windows 2000 Compatible Access,cn=Builtin,dc=deadlock10,dc=intranet" --append users="uid=Administrator,cn=users,dc=deadlock10,dc=intranet"
Object modified: cn=Pre-Windows 2000 Compatible Access,cn=Builtin,dc=deadlock10,dc=intranet
root@primary10:~# univention-ldapsearch cn="Pre-Windows 2000 Compatible Access" -LLL uniqueMember
dn: cn=Pre-Windows 2000 Compatible Access,cn=Builtin,dc=deadlock10,dc=intranet
uniqueMember: uid=Administrator,cn=users,dc=deadlock10,dc=intranet

root@primary10:~# samba-tool group listmembers "Pre-Windows 2000 Compatible Access"
Administrator
root@primary10:~# univention-s4search cn=stefan memberOf 
# record 1
dn: CN=stefan,CN=Users,DC=deadlock10,DC=intranet

# Referral
ref: ldaps://deadlock10.intranet/CN=Configuration,DC=deadlock10,DC=intranet

# Referral
ref: ldaps://deadlock10.intranet/DC=DomainDnsZones,DC=deadlock10,DC=intranet

# Referral
ref: ldaps://deadlock10.intranet/DC=ForestDnsZones,DC=deadlock10,DC=intranet

# returned 4 records
# 1 entries
# 3 referrals
root@primary10:~# samba-tool group addmembers "Pre-Windows 2000 Compatible Access" --member-dn="CN=S-1-5-11,CN=ForeignSecurityPrincipals,$(ucr get samba4/ldap/base)"
Added members to group Pre-Windows 2000 Compatible Access
root@primary10:~# samba-tool group listmembers "Pre-Windows 2000 Compatible Access"
Administrator
S-1-5-11
root@primary10:~# univention-s4search cn=stefan memberOf 
# record 1
dn: CN=stefan,CN=Users,DC=deadlock10,DC=intranet
memberOf: CN=gp1,CN=Groups,DC=deadlock10,DC=intranet

# Referral
ref: ldaps://deadlock10.intranet/CN=Configuration,DC=deadlock10,DC=intranet

# Referral
ref: ldaps://deadlock10.intranet/DC=DomainDnsZones,DC=deadlock10,DC=intranet

# Referral
ref: ldaps://deadlock10.intranet/DC=ForestDnsZones,DC=deadlock10,DC=intranet

# returned 4 records
# 1 entries
# 3 referrals
root@primary10:~# 


https://help.univention.com/t/problem-no-memberof-attributes-in-samba-after-update-to-ucs-5/18673