Univention Bugzilla – Bug 45982
ERROR: incorrect DN SID component for member in object CN=Domain Users
Last modified: 2018-10-25 12:56:47 CEST
root@ucs-4872:~# univention-app info UCS: 4.2-3 errata256 App Center compatibility: 4 Installed: cups=1.7.5 samba4=4.6 squid=3.4 ucsschool=4.2 v6 Upgradable: Scenario 1: UCS@school Single-Server Environment Scenario 2: Installing Samba/AD on an UCS Master in an existing UCS@school Multi-School Environment After installing UCS with UCS@school and Samba/AD, the system diagnostic module finds an error via "samba-tool dbcheck": Checking 264 objects ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=example,DC=org - <GUID=66f68445-1f5b-457b-b593-e5a7faf6c71f>;<RMD_ADDTIME=131595321180000000>;<RMD_CHANGETIME=131595321180000000>;<RMD_FLAGS=0>;<RMD_INVOCID=2c4e37db-9999-4254-aa0d-382103491c0f>;<RMD_LOCAL_USN=3733>;<RMD_ORIGINATING_USN=3733>;<RMD_VERSION=0>;CN=Administrator,CN=Users,DC=example,DC=org Not fixing SID component mismatch Please use --fix to fix these errors Checked 264 objects (1 errors) Running "samba-tool dbcheck --fix --cross-ncs --yes" seems to fix the problem.
It's reproducible. Maybe it's UCS@school specific due to the fact that UDM assigns SIDs in UCS@school and the S4-Connector writes them and we somehow make Samba skip the step where it stores the objectSID of a group member in the "extended-dn" part of the member attribute. More debugging required.
Also found in plain UCS: A fresh installed UCS 4.3 Samba/AD Master (selected during setup) without UCS-School also shows this "incorrect DN SID component for member" error message for the member Attribute of "Domain Users" which refers to "Administrator". ========================================================================== root@master40:~# samba-tool dbcheck Checking 225 objects ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=ar43i1,DC=qa - <GUID=0e6d3251-d731-4672-b794-18ce529d4fd4>;<RMD_ADDTIME=131686047230000000>;<RMD_CHANGETIME=131686047230000000>;<RMD_FLAGS=0>;<RMD_INVOCID=9b5211cf-0503-4b4e-9504-19d4487f2cff>;<RMD_LOCAL_USN=3730>;<RMD_ORIGINATING_USN=3730>;<RMD_VERSION=0>;CN=Administrator,CN=Users,DC=ar43i1,DC=qa Not fixing SID component mismatch Please use --fix to fix these errors Checked 225 objects (1 errors) ==========================================================================
In Ticket# 2018040621000285 I was able to reproduce something similar (UCS@school 4.3) by changing the RID for a group via UDM: ============================================================ udm groups/group modify "$@" \ --dn "cn=Enterprise Admins,cn=users,$ldap_base" \ --set sambaRID="1234567" ============================================================ After that, the extended-dn components of the "member" attributes of the group objects where "Enterprise Admins" is member of is not updated and still shows the original SID. In that case samba-tool dbcheck also complains. So it complains if a) the <SID=...> part is missing completely in the extended-dn components of a "member" attribute b) the <SID=...> part is present but doesn't match In the UCS@school case we use the provision control during the LDAP modify, and a Stefan suggested, that might bypass the updates. But Comment 2 indicates that this error may also occur in plain UCS, where the S4-Connector usually operates without using the provision control. More debugging required.
Created attachment 9515 [details] ucs430e22-incrorrect-DN-SID-component-for-member.tar.bz2 The attached log files have been generated on a plain UCS 4.3 master: 1. No Samba/AD installed during setup 2. univention-install univention-samba4 3. samba-tool dbcheck -> No errors 4. ucr set connector/debug/level='4' samba/debug/level='10' 5. univention-install univention-s4-connector 6. samba-tool dbcheck =============================================================================== ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa - <GUID=63f66a2e-9c2a-469a-bcc8-e328ee03c7d6>;<RMD_ADDTIME=131692292000000000>;<RMD_CHANGETIME=131692292000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=7015cbcb-5dd1-432a-85ff-834b45784386>;<RMD_LOCAL_USN=3736>;<RMD_ORIGINATING_USN=3736>;<RMD_VERSION=0>;CN=Administrator,CN=Users,DC=ar43i2,DC=qa =============================================================================== I cannot find a "modlist" message in connector-s4.log where Administrator gets added to "Domain Users" (for example) but I can see a potential candidate in log.samba, where the primaryGroupID attribute of Administrator gets modify from "Domain Users" (RID 513) to "Domain Admins" (RID 512). =======================================================================[2018/04/26 17:13:20.463156, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug) ldb: ldb_trace_response: ENTRY dn: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa objectClass: top objectClass: group cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20180426150526.0Z whenChanged: 20180426150526.0Z uSNCreated: 3543 uSNChanged: 3543 name: Domain Users objectGUID: 2b0b9b35-b579-4a81-b789-eda26fe9c864 objectSid: S-1-5-21-3772952499-2350442680-3477474934-513 sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ar43i2,DC=qa isCriticalSystemObject: TRUE memberOf: CN=Users,CN=Builtin,DC=ar43i2,DC=qa distinguishedName: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa [...] [2018/04/26 17:13:20.572743, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug) ldb: ldb_trace_response: ENTRY dn: CN=Administrator,CN=Users,DC=ar43i2,DC=qa [...] primaryGroupID: 513 objectSid: S-1-5-21-3772952499-2350442680-3477474934-500 memberOf: CN=Domain Admins,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Schema Admins,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Enterprise Admins,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Group Policy Creator Owners,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Administrators,CN=Builtin,DC=ar43i2,DC=qa [...] whenChanged: 20180426151320.0Z uSNChanged: 3734 [...] [...] [2018/04/26 17:13:20.581512, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug) ldb: ldb_trace_request: MODIFY dn: CN=Administrator,CN=Users,DC=ar43i2,DC=qa changetype: modify replace: primaryGroupID primaryGroupID: 512 - control: 1.3.6.1.4.1.7165.4.3.17 crit:0 data:no ### ^^^ Note: That's DSDB_CONTROL_NO_GLOBAL_CATALOG [...] [2018/04/26 17:13:20.597316, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug) ldb: ldb_trace_response: ENTRY dn: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa objectClass: top objectClass: group cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20180426150526.0Z uSNCreated: 3543 name: Domain Users objectGUID: 2b0b9b35-b579-4a81-b789-eda26fe9c864 objectSid: S-1-5-21-3772952499-2350442680-3477474934-513 sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ar43i2,DC=qa isCriticalSystemObject: TRUE memberOf: CN=Users,CN=Builtin,DC=ar43i2,DC=qa member: CN=Administrator,CN=Users,DC=ar43i2,DC=qa whenChanged: 20180426151320.0Z uSNChanged: 3736 distinguishedName: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa [...] [2018/04/26 17:13:20.625618, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug) ldb: ldb_trace_response: ENTRY dn: CN=Administrator,CN=Users,DC=ar43i2,DC=qa [...] memberOf: CN=Schema Admins,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Enterprise Admins,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Group Policy Creator Owners,CN=Groups,DC=ar43i2,DC=qa memberOf: CN=Administrators,CN=Builtin,DC=ar43i2,DC=qa memberOf: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa [...] whenChanged: 20180426151320.0Z primaryGroupID: 512 uSNChanged: 3737 [...] ======================================================================= And I can reproduce this without installing the S4-Connector. I reverted the VM and just did steps 1, 2 and 3 above: 1. No Samba/AD installed during setup 2. univention-install univention-samba4 3. samba-tool dbcheck -> No errors ======================================================================= root@master50:~# samba-tool dbcheck Checking 208 objects Checked 208 objects (0 errors) root@master50:~# ldbmodify -H /var/lib/samba/private/sam.ldb <<%EOF > dn: CN=Administrator,CN=Users,DC=ar43i2,DC=qa > changetype: modify > replace: primaryGroupID > primaryGroupID: 512 > %EOF Modified 1 records successfully root@master50:~# samba-tool dbcheck Checking 208 objects ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa - <GUID=0145e77d-e05d-4c50-9dba-cc3a7a5d9e1b>;<RMD_ADDTIME=131692288230000000>;<RMD_CHANGETIME=131692288230000000>;<RMD_FLAGS=0>;<RMD_INVOCID=e2f2e0c7-0afc-4e7a-9fd7-4c3ccdefc246>;<RMD_LOCAL_USN=3720>;<RMD_ORIGINATING_USN=3720>;<RMD_VERSION=0>;CN=Administrator,CN=Users,DC=ar43i2,DC=qa Not fixing SID component mismatch Please use --fix to fix these errors Checked 208 objects (1 errors) =======================================================================
Created attachment 9516 [details] reproducer-for-incorrect-DN-SID-component-for-member.sh Simple reproducer script, triggers the error in UCS 4.3, 4.2 and 4.1-5 (i.e. at least since Samba 4.5.1).
I could also reproduce an advanced variation of this which is unfixable for dbcheck, just by changing the primaryGroupID back to the original value. I've posted a corresponding reproducer script to the upstream bug. My first attempt to avoid the missing SID component by slightly adjusting the source code of the "samldb_prim_group_change" function in the samldb.c module failed. The interaction of the ldb modules and controls looks a bit tricky.
Still reproducible with UCS 4.3-1e112. I find it very irritating that the system state is inconsistent after installing the app on a just installed UCS.
SVN: patches/samba/4.3-0-0-ucs/2:4.7.5-1-errata4.3-1/90_bug45982-samba-tool-dbcheck-continue-if-modify-fails.quilt fea394038f | Advisory
OK - yaml (4.3-1-errata. 4.3-0-errata) OK - reproducer OK - dbcheck (continue even if a fix fails)
<http://errata.software-univention.de/ucs/4.3/120.html>