Univention Bugzilla – Bug 47842
ERROR: incorrect DN string component for member in object CN=OLDGROUP,CN=Groups,DC=domain,DC=tld - ;;;;;;;;cn=USER,cn=users,DC=domain,DC=tld
Last modified: 2023-04-24 15:29:17 CEST
After changing the primary group OLDGROUP of user USER to NEWGROUP the system diagnostic module on a UCS 4.3 Backup DC (acting also as a Samba4 AD DC) finds the following error via `samba-tool dbcheck` in the local AD database: ERROR: incorrect DN string component for member in object CN=OLDGROUP,CN=Groups,DC=subdomain,DC=domain,DC=tld - ;;;;;;;;cn=USER,cn=users,DC=subdomain,DC=domain,DC=tld Not fixing string component mismatch Please use --fix to fix these errors Running `samba-tool dbcheck --fix --cross-ncs --yes` in UMC system diagnostic throws the error: STDOUT: ERROR: Failed to fix incorrect DN SID on attribute member : (53, 'Attribute member already deleted for target GUID 0119b12b-88dc-4629-8a50-348489c6a655') Checking 3551 objects ERROR: incorrect DN SID component for member in object CN=OLDGROUP,CN=Groups,DC=subdomain,DC=domain,DC=tld - ;;;;;;;;cn=USER,cn=users,DC=subdomain,DC=domain,DC=tld Change DN to ;;CN=USER,CN=Users,DC=subdomain,DC=domain,DC=tld? [YES] Running `samba-tool dbcheck --fix --cross-ncs --yes` in bash gives: ERROR: incorrect DN SID component for member in object CN=OLDGROUP,CN=Groups,DC=subdomain,DC=domain,DC=tld - <GUID=0119b12b-88dc-4629-8a50-348489c6a655>;<RMD_ADDTIME=131818394720000000>;<RMD_CHANGETIME=131818394720000000>;<RMD_FLAGS=1>;<RMD_INVOCID=69bfcc53-b877-4086-aa0e-38a36303aef1>;<RMD_LOCAL_USN=4223>;<RMD_ORIGINATING_USN=4223>;<RMD_VERSION=1>;cn=USER,cn=users,DC=subdomain,DC=domain,DC=tld Change DN to <GUID=0119b12b-88dc-4629-8a50-348489c6a655>;<SID=S-1-5-21-145732749-1759460072-1850305963-1151>;CN=USER,CN=Users,DC=subdomain,DC=domain,DC=tld? [YES] ERROR: Failed to fix incorrect DN SID on attribute member : (53, 'Attribute member already deleted for target GUID 0119b12b-88dc-4629-8a50-348489c6a655') I thin this is the same bug as https://bugzilla.samba.org/show_bug.cgi?id=13418
Ok,the upstream Bug now has an explanation for this, but no solution yet: "So this is a module ordering issue, as the request goes down the stack it never gains the extra SID etc because extended_dn_store is above samldb."
Created attachment 9703 [details] fix-DomainUsers-group-members-affected-by-Bug47842.sh The attached script may be useful as a workaround to fix affected group members. This current version of the script only operates on member attributes of the group "Domain Users". The shell variable target_primary_group_rid can be adjusted manually in the script to handle other cases. Please be aware that the script stops the S4-Connector temporarily and creates a dummy group, which it finally tries to remove again before starting the S4-Connector again. This will probably not work on UCS@school DC Slaves (when Bug #47942 is fixed it will also not work on any UCS@school Samba/AD DC). Please also note that during tests I once ran into https://bugzilla.samba.org/show_bug.cgi?id=11064 and could not delete the dummy group again.
Upstream Patch applied: * 4.3-0-0-ucs/2:4.9.1-1-samba-4.9/90_bug48054-fix-incorrect-DN-SID-component.quilt
OK - fixed upstream OK - patch removed
There is no changelog entry in changelog-4.4-0.xml.
UCS 4.4 has been released: https://docs.software-univention.de/release-notes-4.4-0-en.html https://docs.software-univention.de/release-notes-4.4-0-de.html If this error occurs again, please use "Clone This Bug".