Univention Bugzilla – Full Text Bug Listing |
Summary: | ERROR: incorrect DN SID component for member in object CN=Domain Users | ||
---|---|---|---|
Product: | UCS | Reporter: | Johannes Kenkel <kenkel> |
Component: | Samba4 | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | damrose, grandjean, requate, scheinig |
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.3-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | https://bugzilla.samba.org/show_bug.cgi?id=13418 | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=43126 https://forge.univention.org/bugzilla/show_bug.cgi?id=47842 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 1: Cosmetic issue or missing function but workaround exists |
Who will be affected by this bug?: | 4: Will affect most installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.046 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2018040621000285, 2018041821000388, 2018062021000389 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 48040, 48054 | ||
Attachments: |
ucs430e22-incrorrect-DN-SID-component-for-member.tar.bz2
reproducer-for-incorrect-DN-SID-component-for-member.sh |
Description
Johannes Kenkel
2018-01-05 12:50:02 CET
It's reproducible. Maybe it's UCS@school specific due to the fact that UDM assigns SIDs in UCS@school and the S4-Connector writes them and we somehow make Samba skip the step where it stores the objectSID of a group member in the "extended-dn" part of the member attribute. More debugging required. Also found in plain UCS: A fresh installed UCS 4.3 Samba/AD Master (selected during setup) without UCS-School also shows this "incorrect DN SID component for member" error message for the member Attribute of "Domain Users" which refers to "Administrator". ========================================================================== root@master40:~# samba-tool dbcheck Checking 225 objects ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=ar43i1,DC=qa - <GUID=0e6d3251-d731-4672-b794-18ce529d4fd4>;<RMD_ADDTIME=131686047230000000>;<RMD_CHANGETIME=131686047230000000>;<RMD_FLAGS=0>;<RMD_INVOCID=9b5211cf-0503-4b4e-9504-19d4487f2cff>;<RMD_LOCAL_USN=3730>;<RMD_ORIGINATING_USN=3730>;<RMD_VERSION=0>;CN=Administrator,CN=Users,DC=ar43i1,DC=qa Not fixing SID component mismatch Please use --fix to fix these errors Checked 225 objects (1 errors) ========================================================================== In Ticket# 2018040621000285 I was able to reproduce something similar (UCS@school 4.3) by changing the RID for a group via UDM: ============================================================ udm groups/group modify "$@" \ --dn "cn=Enterprise Admins,cn=users,$ldap_base" \ --set sambaRID="1234567" ============================================================ After that, the extended-dn components of the "member" attributes of the group objects where "Enterprise Admins" is member of is not updated and still shows the original SID. In that case samba-tool dbcheck also complains. So it complains if a) the <SID=...> part is missing completely in the extended-dn components of a "member" attribute b) the <SID=...> part is present but doesn't match In the UCS@school case we use the provision control during the LDAP modify, and a Stefan suggested, that might bypass the updates. But Comment 2 indicates that this error may also occur in plain UCS, where the S4-Connector usually operates without using the provision control. More debugging required. Created attachment 9515 [details] ucs430e22-incrorrect-DN-SID-component-for-member.tar.bz2 The attached log files have been generated on a plain UCS 4.3 master: 1. No Samba/AD installed during setup 2. univention-install univention-samba4 3. samba-tool dbcheck -> No errors 4. ucr set connector/debug/level='4' samba/debug/level='10' 5. univention-install univention-s4-connector 6. samba-tool dbcheck =============================================================================== ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa - <GUID=63f66a2e-9c2a-469a-bcc8-e328ee03c7d6>;<RMD_ADDTIME=131692292000000000>;<RMD_CHANGETIME=131692292000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=7015cbcb-5dd1-432a-85ff-834b45784386>;<RMD_LOCAL_USN=3736>;<RMD_ORIGINATING_USN=3736>;<RMD_VERSION=0>;CN=Administrator,CN=Users,DC=ar43i2,DC=qa =============================================================================== I cannot find a "modlist" message in connector-s4.log where Administrator gets added to "Domain Users" (for example) but I can see a potential candidate in log.samba, where the primaryGroupID attribute of Administrator gets modify from "Domain Users" (RID 513) to "Domain Admins" (RID 512). =======================================================================[2018/04/26 17:13:20.463156, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug) ldb: ldb_trace_response: ENTRY dn: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa objectClass: top objectClass: group cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20180426150526.0Z whenChanged: 20180426150526.0Z uSNCreated: 3543 uSNChanged: 3543 name: Domain Users objectGUID: 2b0b9b35-b579-4a81-b789-eda26fe9c864 objectSid: S-1-5-21-3772952499-2350442680-3477474934-513 sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ar43i2,DC=qa isCriticalSystemObject: TRUE memberOf: CN=Users,CN=Builtin,DC=ar43i2,DC=qa distinguishedName: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa [...] [2018/04/26 17:13:20.572743, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug) ldb: ldb_trace_response: ENTRY dn: CN=Administrator,CN=Users,DC=ar43i2,DC=qa [...] primaryGroupID: 513 objectSid: S-1-5-21-3772952499-2350442680-3477474934-500 memberOf: CN=Domain Admins,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Schema Admins,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Enterprise Admins,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Group Policy Creator Owners,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Administrators,CN=Builtin,DC=ar43i2,DC=qa [...] whenChanged: 20180426151320.0Z uSNChanged: 3734 [...] [...] [2018/04/26 17:13:20.581512, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug) ldb: ldb_trace_request: MODIFY dn: CN=Administrator,CN=Users,DC=ar43i2,DC=qa changetype: modify replace: primaryGroupID primaryGroupID: 512 - control: 1.3.6.1.4.1.7165.4.3.17 crit:0 data:no ### ^^^ Note: That's DSDB_CONTROL_NO_GLOBAL_CATALOG [...] [2018/04/26 17:13:20.597316, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug) ldb: ldb_trace_response: ENTRY dn: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa objectClass: top objectClass: group cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20180426150526.0Z uSNCreated: 3543 name: Domain Users objectGUID: 2b0b9b35-b579-4a81-b789-eda26fe9c864 objectSid: S-1-5-21-3772952499-2350442680-3477474934-513 sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ar43i2,DC=qa isCriticalSystemObject: TRUE memberOf: CN=Users,CN=Builtin,DC=ar43i2,DC=qa member: CN=Administrator,CN=Users,DC=ar43i2,DC=qa whenChanged: 20180426151320.0Z uSNChanged: 3736 distinguishedName: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa [...] [2018/04/26 17:13:20.625618, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug) ldb: ldb_trace_response: ENTRY dn: CN=Administrator,CN=Users,DC=ar43i2,DC=qa [...] memberOf: CN=Schema Admins,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Enterprise Admins,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Group Policy Creator Owners,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Administrators,CN=Builtin,DC=ar43i2,DC=qa memberOf: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa [...] whenChanged: 20180426151320.0Z primaryGroupID: 512 uSNChanged: 3737 [...] ======================================================================= And I can reproduce this without installing the S4-Connector. I reverted the VM and just did steps 1, 2 and 3 above: 1. No Samba/AD installed during setup 2. univention-install univention-samba4 3. samba-tool dbcheck -> No errors ======================================================================= root@master50:~# samba-tool dbcheck Checking 208 objects Checked 208 objects (0 errors) root@master50:~# ldbmodify -H /var/lib/samba/private/sam.ldb <<%EOF > dn: CN=Administrator,CN=Users,DC=ar43i2,DC=qa > changetype: modify > replace: primaryGroupID > primaryGroupID: 512 > %EOF Modified 1 records successfully root@master50:~# samba-tool dbcheck Checking 208 objects ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa - <GUID=0145e77d-e05d-4c50-9dba-cc3a7a5d9e1b>;<RMD_ADDTIME=131692288230000000>;<RMD_CHANGETIME=131692288230000000>;<RMD_FLAGS=0>;<RMD_INVOCID=e2f2e0c7-0afc-4e7a-9fd7-4c3ccdefc246>;<RMD_LOCAL_USN=3720>;<RMD_ORIGINATING_USN=3720>;<RMD_VERSION=0>;CN=Administrator,CN=Users,DC=ar43i2,DC=qa Not fixing SID component mismatch Please use --fix to fix these errors Checked 208 objects (1 errors) ======================================================================= Created attachment 9516 [details]
reproducer-for-incorrect-DN-SID-component-for-member.sh
Simple reproducer script, triggers the error in UCS 4.3, 4.2 and 4.1-5 (i.e. at least since Samba 4.5.1).
I could also reproduce an advanced variation of this which is unfixable for dbcheck, just by changing the primaryGroupID back to the original value. I've posted a corresponding reproducer script to the upstream bug. My first attempt to avoid the missing SID component by slightly adjusting the source code of the "samldb_prim_group_change" function in the samldb.c module failed. The interaction of the ldb modules and controls looks a bit tricky. Still reproducible with UCS 4.3-1e112. I find it very irritating that the system state is inconsistent after installing the app on a just installed UCS. SVN: patches/samba/4.3-0-0-ucs/2:4.7.5-1-errata4.3-1/90_bug45982-samba-tool-dbcheck-continue-if-modify-fails.quilt fea394038f | Advisory OK - yaml (4.3-1-errata. 4.3-0-errata) OK - reproducer OK - dbcheck (continue even if a fix fails) |