Bug 47842 - ERROR: incorrect DN string component for member in object CN=OLDGROUP,CN=Groups,DC=domain,DC=tld - ;;;;;;;;cn=USER,cn=users,DC=domain,DC=tld
ERROR: incorrect DN string component for member in object CN=OLDGROUP,CN=Grou...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.3
amd64 Linux
: P5 normal (vote)
: UCS 4.4
Assigned To: Arvid Requate
Felix Botner
https://bugzilla.samba.org/show_bug.c...
:
Depends on:
Blocks: 48084
  Show dependency treegraph
 
Reported: 2018-09-20 13:40 CEST by DADE
Modified: 2019-03-12 13:41 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.154
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2018101221000314
Bug group (optional):
Max CVSS v3 score:


Attachments
fix-DomainUsers-group-members-affected-by-Bug47842.sh (3.29 KB, application/x-shellscript)
2018-10-16 20:39 CEST, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description DADE 2018-09-20 13:40:08 CEST
After changing the primary group OLDGROUP of user USER to NEWGROUP the system diagnostic module on a UCS 4.3 Backup DC (acting also as a Samba4 AD DC) finds the following error via `samba-tool dbcheck` in the local AD database:

ERROR: incorrect DN string component for member in object CN=OLDGROUP,CN=Groups,DC=subdomain,DC=domain,DC=tld - ;;;;;;;;cn=USER,cn=users,DC=subdomain,DC=domain,DC=tld
Not fixing string component mismatch
Please use --fix to fix these errors

Running `samba-tool dbcheck --fix --cross-ncs --yes` in UMC system diagnostic throws the error:

STDOUT: ERROR: Failed to fix incorrect DN SID on attribute member : (53, 'Attribute member already deleted for target GUID 0119b12b-88dc-4629-8a50-348489c6a655') 
Checking 3551 objects 
ERROR: incorrect DN SID component for member in object CN=OLDGROUP,CN=Groups,DC=subdomain,DC=domain,DC=tld - ;;;;;;;;cn=USER,cn=users,DC=subdomain,DC=domain,DC=tld
Change DN to ;;CN=USER,CN=Users,DC=subdomain,DC=domain,DC=tld? [YES]

Running `samba-tool dbcheck --fix --cross-ncs --yes` in bash gives:

ERROR: incorrect DN SID component for member in object CN=OLDGROUP,CN=Groups,DC=subdomain,DC=domain,DC=tld - <GUID=0119b12b-88dc-4629-8a50-348489c6a655>;<RMD_ADDTIME=131818394720000000>;<RMD_CHANGETIME=131818394720000000>;<RMD_FLAGS=1>;<RMD_INVOCID=69bfcc53-b877-4086-aa0e-38a36303aef1>;<RMD_LOCAL_USN=4223>;<RMD_ORIGINATING_USN=4223>;<RMD_VERSION=1>;cn=USER,cn=users,DC=subdomain,DC=domain,DC=tld
Change DN to <GUID=0119b12b-88dc-4629-8a50-348489c6a655>;<SID=S-1-5-21-145732749-1759460072-1850305963-1151>;CN=USER,CN=Users,DC=subdomain,DC=domain,DC=tld? [YES]
ERROR: Failed to fix incorrect DN SID on attribute member : (53, 'Attribute member already deleted for target GUID 0119b12b-88dc-4629-8a50-348489c6a655')


I thin this is the same bug as https://bugzilla.samba.org/show_bug.cgi?id=13418
Comment 1 Arvid Requate univentionstaff 2018-10-15 12:21:08 CEST
Ok,the upstream Bug now has an explanation for this, but no solution yet: "So this is a module ordering issue, as the request goes down the stack it never gains the extra SID etc because extended_dn_store is above samldb."
Comment 2 Arvid Requate univentionstaff 2018-10-16 20:39:35 CEST
Created attachment 9703 [details]
fix-DomainUsers-group-members-affected-by-Bug47842.sh

The attached script may be useful as a workaround to fix affected group members.
This current version of the script only operates on member attributes of the group "Domain Users". The shell variable target_primary_group_rid can be adjusted manually in the script to handle other cases. Please be aware that the script stops the S4-Connector temporarily and creates a dummy group, which it finally tries to remove again before starting the S4-Connector again. This will probably not work on UCS@school DC Slaves (when Bug #47942 is fixed it will also not work on any UCS@school Samba/AD DC). Please also note that during tests I once ran into  https://bugzilla.samba.org/show_bug.cgi?id=11064 and could not delete the dummy group again.
Comment 3 Arvid Requate univentionstaff 2018-11-13 18:18:47 CET
Upstream Patch applied:

* 4.3-0-0-ucs/2:4.9.1-1-samba-4.9/90_bug48054-fix-incorrect-DN-SID-component.quilt
Comment 4 Felix Botner univentionstaff 2018-12-20 13:42:23 CET
OK - fixed upstream
OK - patch removed
Comment 5 Florian Best univentionstaff 2019-03-11 14:33:20 CET
There is no changelog entry in changelog-4.4-0.xml.
Comment 6 Florian Best univentionstaff 2019-03-12 13:41:01 CET
UCS 4.4 has been released:
 https://docs.software-univention.de/release-notes-4.4-0-en.html
 https://docs.software-univention.de/release-notes-4.4-0-de.html

If this error occurs again, please use "Clone This Bug".