Bug 47842

Summary: ERROR: incorrect DN string component for member in object CN=OLDGROUP,CN=Groups,DC=domain,DC=tld - ;;;;;;;;cn=USER,cn=users,DC=domain,DC=tld
Product: UCS Reporter: DADE <software>
Component: Samba4Assignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: best, requate, scheinig
Version: UCS 4.3   
Target Milestone: UCS 4.4   
Hardware: amd64   
OS: Linux   
URL: https://bugzilla.samba.org/show_bug.cgi?id=13418
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=45982
https://forge.univention.org/bugzilla/show_bug.cgi?id=48054
https://forge.univention.org/bugzilla/show_bug.cgi?id=50358
What kind of report is it?: Bug Report What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.154 Enterprise Customer affected?:
School Customer affected?: Yes ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: 2018101221000314 Bug group (optional):
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 48084    
Attachments: fix-DomainUsers-group-members-affected-by-Bug47842.sh

Description DADE 2018-09-20 13:40:08 CEST 
After changing the primary group OLDGROUP of user USER to NEWGROUP the system diagnostic module on a UCS 4.3 Backup DC (acting also as a Samba4 AD DC) finds the following error via `samba-tool dbcheck` in the local AD database:

ERROR: incorrect DN string component for member in object CN=OLDGROUP,CN=Groups,DC=subdomain,DC=domain,DC=tld - ;;;;;;;;cn=USER,cn=users,DC=subdomain,DC=domain,DC=tld
Not fixing string component mismatch
Please use --fix to fix these errors

Running `samba-tool dbcheck --fix --cross-ncs --yes` in UMC system diagnostic throws the error:

STDOUT: ERROR: Failed to fix incorrect DN SID on attribute member : (53, 'Attribute member already deleted for target GUID 0119b12b-88dc-4629-8a50-348489c6a655') 
Checking 3551 objects 
ERROR: incorrect DN SID component for member in object CN=OLDGROUP,CN=Groups,DC=subdomain,DC=domain,DC=tld - ;;;;;;;;cn=USER,cn=users,DC=subdomain,DC=domain,DC=tld
Change DN to ;;CN=USER,CN=Users,DC=subdomain,DC=domain,DC=tld? [YES]

Running `samba-tool dbcheck --fix --cross-ncs --yes` in bash gives:

ERROR: incorrect DN SID component for member in object CN=OLDGROUP,CN=Groups,DC=subdomain,DC=domain,DC=tld - <GUID=0119b12b-88dc-4629-8a50-348489c6a655>;<RMD_ADDTIME=131818394720000000>;<RMD_CHANGETIME=131818394720000000>;<RMD_FLAGS=1>;<RMD_INVOCID=69bfcc53-b877-4086-aa0e-38a36303aef1>;<RMD_LOCAL_USN=4223>;<RMD_ORIGINATING_USN=4223>;<RMD_VERSION=1>;cn=USER,cn=users,DC=subdomain,DC=domain,DC=tld
Change DN to <GUID=0119b12b-88dc-4629-8a50-348489c6a655>;<SID=S-1-5-21-145732749-1759460072-1850305963-1151>;CN=USER,CN=Users,DC=subdomain,DC=domain,DC=tld? [YES]
ERROR: Failed to fix incorrect DN SID on attribute member : (53, 'Attribute member already deleted for target GUID 0119b12b-88dc-4629-8a50-348489c6a655')


I thin this is the same bug as https://bugzilla.samba.org/show_bug.cgi?id=13418
Comment 1 Arvid Requate univentionstaff 2018-10-15 12:21:08 CEST 
Ok,the upstream Bug now has an explanation for this, but no solution yet: "So this is a module ordering issue, as the request goes down the stack it never gains the extra SID etc because extended_dn_store is above samldb."
Comment 2 Arvid Requate univentionstaff 2018-10-16 20:39:35 CEST 
Created attachment 9703 [details]
fix-DomainUsers-group-members-affected-by-Bug47842.sh

The attached script may be useful as a workaround to fix affected group members.
This current version of the script only operates on member attributes of the group "Domain Users". The shell variable target_primary_group_rid can be adjusted manually in the script to handle other cases. Please be aware that the script stops the S4-Connector temporarily and creates a dummy group, which it finally tries to remove again before starting the S4-Connector again. This will probably not work on UCS@school DC Slaves (when Bug #47942 is fixed it will also not work on any UCS@school Samba/AD DC). Please also note that during tests I once ran into  https://bugzilla.samba.org/show_bug.cgi?id=11064 and could not delete the dummy group again.
Comment 3 Arvid Requate univentionstaff 2018-11-13 18:18:47 CET 
Upstream Patch applied:

* 4.3-0-0-ucs/2:4.9.1-1-samba-4.9/90_bug48054-fix-incorrect-DN-SID-component.quilt
Comment 4 Felix Botner univentionstaff 2018-12-20 13:42:23 CET 
OK - fixed upstream
OK - patch removed
Comment 5 Florian Best univentionstaff 2019-03-11 14:33:20 CET 
There is no changelog entry in changelog-4.4-0.xml.
Comment 6 Florian Best univentionstaff 2019-03-12 13:41:01 CET 
UCS 4.4 has been released:
 https://docs.software-univention.de/release-notes-4.4-0-en.html
 https://docs.software-univention.de/release-notes-4.4-0-de.html

If this error occurs again, please use "Clone This Bug".