Bug 57219 – ERROR: incorrect DN string component for member in object CN=Print Operators,CN=Builtin,DC=domain,DC=tld

Bug 57219 - ERROR: incorrect DN string component for member in object CN=Print Operators,CN=Builtin,DC=domain,DC=tld


Summary:	ERROR: incorrect DN string component for member in object CN=Print Operators...

Status:	NEEDMOREINFO

Product:	UCS@school
Classification:	Unclassified
Component:	Samba 4
Version:	UCS@school 5.0
Hardware:	amd64 Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:

URL:	https://bugzilla.samba.org/show_bug.c...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2024-04-09 11:02 CEST by Christina Scheinig
Modified:	2024-04-15 18:32 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.154
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2024040521000042
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2024-04-09 11:02:27 CEST

ERROR: incorrect DN SID component for member in object CN=Print Operators,CN=Builtin,DC=domain,DC=tld -
<GUID=f5d34e3a-15a4-455f-8e6b-c0d5b92d9d17>;<RMD_ADDTIME=133558206010000000>;<RMD_CHANGETIME=133558206040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c38b2daf-3080-4e4f-a1fd-4f07625d6914>;<RMD_LOCAL_USN=6555>;<RMD_ORIGINATING_USN=6555>;<RMD_VERSION=2>;<SID=S-1-5-21-261973878-2428626473-3324609689-1000>;CN=SLAVE-EDU,OU=Domain
Controllers,DC=domain,DC=tld
Change DN to <GUID=f5d34e3a-15a4-455f-8e6b-c0d5b92d9d17>;<SID=S-1-5-21-261973878-2428626473-3324609689-19204>;CN=SLAVE-EDU,OU=Domain
Controllers,DC=domain,DC=tld? &#91;y/N/all/none&#93; y
Failed to fix incorrect DN SID on attribute member : (53, 'Attribute member already deleted for target GUID f5d34e3a-15a4-455f-8e6b-c0d5b92d9d17')
Checked 1501 objects (1 errors)

root@SLAVE-EDU:~#  ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC=DOMAIN,DC=TLD.ldb -b CN='Print Operators,CN=Builtin,DC=domain,DC=tld' | ldapsearch-wrapper
# record 1
dn: CN=Print Operators,CN=Builtin,DC=domain,DC=tld
objectClass: top
objectClass: group
cn: Print Operators
description: Members can administer domain printers
instanceType: 4
whenCreated: 20240325060810.0Z
uSNCreated: 3878
nTSecurityDescriptor: O:S-1-5-21-261973878-2428626473-3324609689-512G:S-1-5-21-261973878-2428626473-3324609689-512D:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-261973878-2428626473-3324609689-512)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a55-1e2f-11d0-9819-00aa0040529b;;AU)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-261973878-2428626473-3324609689-519)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-261973878-2428626473-3324609689-519)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
name: Print Operators
objectGUID: c9043fbd-6f28-4720-a365-887599915361
objectSid: S-1-5-32-550
adminCount: 1
sAMAccountType: 536870912
systemFlags: -1946157056
groupType: -2147483643
objectCategory: <GUID=bf3a3d96-5e12-4b6d-b2c3-2d1536787318>;CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=tld
isCriticalSystemObject: TRUE
sAMAccountName: Printer-Admins
gidNumber: 5016
member: <GUID=f5d34e3a-15a4-455f-8e6b-c0d5b92d9d17>;<RMD_ADDTIME=133558206010000000>;<RMD_CHANGETIME=133558206040000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c38b2daf-3080-4e4f-a1fd-4f07625d6914>;<RMD_LOCAL_USN=6555>;<RMD_ORIGINATING_USN=6555>;<RMD_VERSION=2>;<SID=S-1-5-21-261973878-2428626473-3324609689-1000>;CN=SLAVE-EDU,OU=Domain Controllers,DC=domain,DC=tld
replPropertyMetaData:: AQAAAAAAAAAQAAAAAAAAAAAAAAABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAAAMAAAABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAAA0AAAABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAAAEAAgABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAAAIAAgABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAABkBAgABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAAAEACQABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAAJIACQADAAAAT6YRHAMAAACvLYvDgDBPTqH9TwdiXWkUDiAAAAAAAAAOIAAAAAAAAJYACQABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAAN0ACQACAAAAJKYRHAMAAACvLYvDgDBPTqH9TwdiXWkU5xEAAAAAAADnEQAAAAAAAC4BCQABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAAHcBCQABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAAO4CCQABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAAA4DCQABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAAGQDCQABAAAAyqURHAMAAACvLYvDgDBPTqH9TwdiXWkUJg8AAAAAAAAmDwAAAAAAAAEAJQABAAAAJKYRHAMAAACvLYvDgDBPTqH9TwdiXWkU5xEAAAAAAADnEQAAAAAAAA==
whenChanged: 20240325061023.0Z
uSNChanged: 8206
distinguishedName: CN=Print Operators,CN=Builtin,DC=domain,DC=tld

----------------
root@SLAVE-EDU:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b CN='Print Operators,CN=Builtin,DC=domain,DC=tld' --extended-dn | ldapsearch-wrapper
# record 1
dn: <GUID=c9043fbd-6f28-4720-a365-887599915361>;<SID=S-1-5-32-550>;CN=Print Operators,CN=Builtin,DC=domain,DC=tld
objectClass: top
objectClass: group
cn: Print Operators
description: Members can administer domain printers
instanceType: 4
whenCreated: 20240325060810.0Z
uSNCreated: 3878
name: Print Operators
objectGUID: c9043fbd-6f28-4720-a365-887599915361
objectSid: S-1-5-32-550
adminCount: 1
sAMAccountType: 536870912
systemFlags: -1946157056
groupType: -2147483643
objectCategory: <GUID=bf3a3d96-5e12-4b6d-b2c3-2d1536787318>;CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=tld
isCriticalSystemObject: TRUE
sAMAccountName: Printer-Admins
gidNumber: 5016
whenChanged: 20240325061023.0Z
uSNChanged: 8206
distinguishedName: <GUID=c9043fbd-6f28-4720-a365-887599915361>;<SID=S-1-5-32-550>;CN=Print Operators,CN=Builtin,DC=domain,DC=tld


So this is still happening with UCS 5.0-6 in Schoolenvironments.
My thinking: Why could the member deleted in the frontend, but not in the backend? To this seems to be an edge case, that the SID change did not apply to the backend and also the membership deletion is  not applied to the backend.
How can we prevent this? And what is the special situation? I saw this with Administrators and Print Operators, but no other groups. What is our doing, that could cause this behaviour. This is quite tricky/fuzzy to fix, because the samba backend needs to be modified.




+++ This bug was initially created as a clone of Bug #47842 +++

After changing the primary group OLDGROUP of user USER to NEWGROUP the system diagnostic module on a UCS 4.3 Backup DC (acting also as a Samba4 AD DC) finds the following error via `samba-tool dbcheck` in the local AD database:

ERROR: incorrect DN string component for member in object CN=OLDGROUP,CN=Groups,DC=subdomain,DC=domain,DC=tld - ;;;;;;;;cn=USER,cn=users,DC=subdomain,DC=domain,DC=tld
Not fixing string component mismatch
Please use --fix to fix these errors

Running `samba-tool dbcheck --fix --cross-ncs --yes` in UMC system diagnostic throws the error:

STDOUT: ERROR: Failed to fix incorrect DN SID on attribute member : (53, 'Attribute member already deleted for target GUID 0119b12b-88dc-4629-8a50-348489c6a655') 
Checking 3551 objects 
ERROR: incorrect DN SID component for member in object CN=OLDGROUP,CN=Groups,DC=subdomain,DC=domain,DC=tld - ;;;;;;;;cn=USER,cn=users,DC=subdomain,DC=domain,DC=tld
Change DN to ;;CN=USER,CN=Users,DC=subdomain,DC=domain,DC=tld? [YES]

Running `samba-tool dbcheck --fix --cross-ncs --yes` in bash gives:

ERROR: incorrect DN SID component for member in object CN=OLDGROUP,CN=Groups,DC=subdomain,DC=domain,DC=tld - <GUID=0119b12b-88dc-4629-8a50-348489c6a655>;<RMD_ADDTIME=131818394720000000>;<RMD_CHANGETIME=131818394720000000>;<RMD_FLAGS=1>;<RMD_INVOCID=69bfcc53-b877-4086-aa0e-38a36303aef1>;<RMD_LOCAL_USN=4223>;<RMD_ORIGINATING_USN=4223>;<RMD_VERSION=1>;cn=USER,cn=users,DC=subdomain,DC=domain,DC=tld
Change DN to <GUID=0119b12b-88dc-4629-8a50-348489c6a655>;<SID=S-1-5-21-145732749-1759460072-1850305963-1151>;CN=USER,CN=Users,DC=subdomain,DC=domain,DC=tld? [YES]
ERROR: Failed to fix incorrect DN SID on attribute member : (53, 'Attribute member already deleted for target GUID 0119b12b-88dc-4629-8a50-348489c6a655')


I thin this is the same bug as https://bugzilla.samba.org/show_bug.cgi?id=13418