Comment 1 Arvid Requate 2018-04-16 16:22:12 CEST

It's reproducible. Maybe it's UCS@school specific due to the fact that UDM assigns SIDs in UCS@school and the S4-Connector writes them and we somehow make Samba skip the step where it stores the objectSID of a group member in the "extended-dn" part of the member attribute. More debugging required.

Comment 2 Arvid Requate 2018-04-25 18:28:32 CEST

Also found in plain UCS:

A fresh installed UCS 4.3 Samba/AD Master (selected during setup) without UCS-School also shows this "incorrect DN SID component for member" error message for the member Attribute of "Domain Users" which refers to "Administrator".

==========================================================================
root@master40:~# samba-tool dbcheck
Checking 225 objects
ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=ar43i1,DC=qa - <GUID=0e6d3251-d731-4672-b794-18ce529d4fd4>;<RMD_ADDTIME=131686047230000000>;<RMD_CHANGETIME=131686047230000000>;<RMD_FLAGS=0>;<RMD_INVOCID=9b5211cf-0503-4b4e-9504-19d4487f2cff>;<RMD_LOCAL_USN=3730>;<RMD_ORIGINATING_USN=3730>;<RMD_VERSION=0>;CN=Administrator,CN=Users,DC=ar43i1,DC=qa
Not fixing SID component mismatch
Please use --fix to fix these errors
Checked 225 objects (1 errors)
==========================================================================

Comment 3 Arvid Requate 2018-04-25 18:36:58 CEST

In Ticket# 2018040621000285 I was able to reproduce something similar (UCS@school 4.3) by changing the RID for a group via UDM:

============================================================
udm groups/group modify "$@" \
        --dn "cn=Enterprise Admins,cn=users,$ldap_base" \
        --set sambaRID="1234567"
============================================================

After that, the extended-dn components of the "member" attributes of the group objects where "Enterprise Admins" is member of is not updated and still shows the original SID. In that case samba-tool dbcheck also complains. So it complains if

 a) the <SID=...> part is missing completely in the extended-dn components of a "member" attribute
 b) the <SID=...> part is present but doesn't match

In the UCS@school case we use the provision control during the LDAP modify, and a Stefan suggested, that might bypass the updates. But Comment 2 indicates that this error may also occur in plain UCS, where the S4-Connector usually operates without using the provision control. More debugging required.

Comment 4 Arvid Requate 2018-04-26 18:17:47 CEST

Created attachment 9515 [details]
ucs430e22-incrorrect-DN-SID-component-for-member.tar.bz2

The attached log files have been generated on a plain UCS 4.3 master:
1. No Samba/AD installed during setup
2. univention-install univention-samba4
3. samba-tool dbcheck -> No errors
4. ucr set connector/debug/level='4' samba/debug/level='10'
5. univention-install univention-s4-connector
6. samba-tool dbcheck
===============================================================================
ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa - <GUID=63f66a2e-9c2a-469a-bcc8-e328ee03c7d6>;<RMD_ADDTIME=131692292000000000>;<RMD_CHANGETIME=131692292000000000>;<RMD_FLAGS=0>;<RMD_INVOCID=7015cbcb-5dd1-432a-85ff-834b45784386>;<RMD_LOCAL_USN=3736>;<RMD_ORIGINATING_USN=3736>;<RMD_VERSION=0>;CN=Administrator,CN=Users,DC=ar43i2,DC=qa
===============================================================================


I cannot find a "modlist" message in connector-s4.log where Administrator gets added to "Domain Users" (for example) but I can see a potential candidate in log.samba, where the primaryGroupID attribute of Administrator gets modify from "Domain Users" (RID 513) to "Domain Admins" (RID 512).



=======================================================================[2018/04/26 17:13:20.463156, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
  ldb: ldb_trace_response: ENTRY
  dn: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa
  objectClass: top
  objectClass: group
  cn: Domain Users
  description: All domain users
  instanceType: 4
  whenCreated: 20180426150526.0Z
  whenChanged: 20180426150526.0Z
  uSNCreated: 3543
  uSNChanged: 3543
  name: Domain Users
  objectGUID: 2b0b9b35-b579-4a81-b789-eda26fe9c864
  objectSid: S-1-5-21-3772952499-2350442680-3477474934-513
  sAMAccountName: Domain Users
  sAMAccountType: 268435456
  groupType: -2147483646
  objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ar43i2,DC=qa
  isCriticalSystemObject: TRUE
  memberOf: CN=Users,CN=Builtin,DC=ar43i2,DC=qa
  distinguishedName: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa

[...]
[2018/04/26 17:13:20.572743, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
  ldb: ldb_trace_response: ENTRY
  dn: CN=Administrator,CN=Users,DC=ar43i2,DC=qa
  [...]
  primaryGroupID: 513
  objectSid: S-1-5-21-3772952499-2350442680-3477474934-500
  memberOf: CN=Domain Admins,CN=Groups,DC=ar43i2,DC=qa
  memberOf: CN=Schema Admins,CN=Groups,DC=ar43i2,DC=qa
  memberOf: CN=Enterprise Admins,CN=Groups,DC=ar43i2,DC=qa
  memberOf: CN=Group Policy Creator Owners,CN=Groups,DC=ar43i2,DC=qa
  memberOf: CN=Administrators,CN=Builtin,DC=ar43i2,DC=qa
  [...]
  whenChanged: 20180426151320.0Z
  uSNChanged: 3734
  [...]

[...]
[2018/04/26 17:13:20.581512, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
  ldb: ldb_trace_request: MODIFY
  dn: CN=Administrator,CN=Users,DC=ar43i2,DC=qa
  changetype: modify
  replace: primaryGroupID
  primaryGroupID: 512
  -
  
  
   control: 1.3.6.1.4.1.7165.4.3.17  crit:0  data:no
   ###      ^^^ Note: That's DSDB_CONTROL_NO_GLOBAL_CATALOG

[...]
[2018/04/26 17:13:20.597316, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
  ldb: ldb_trace_response: ENTRY
  dn: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa
  objectClass: top
  objectClass: group
  cn: Domain Users
  description: All domain users
  instanceType: 4
  whenCreated: 20180426150526.0Z
  uSNCreated: 3543
  name: Domain Users
  objectGUID: 2b0b9b35-b579-4a81-b789-eda26fe9c864
  objectSid: S-1-5-21-3772952499-2350442680-3477474934-513
  sAMAccountName: Domain Users
  sAMAccountType: 268435456
  groupType: -2147483646
  objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ar43i2,DC=qa
  isCriticalSystemObject: TRUE
  memberOf: CN=Users,CN=Builtin,DC=ar43i2,DC=qa
  member: CN=Administrator,CN=Users,DC=ar43i2,DC=qa
  whenChanged: 20180426151320.0Z
  uSNChanged: 3736
  distinguishedName: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa

[...]
[2018/04/26 17:13:20.625618, 10, pid=23353, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:77(ldb_wrap_debug)
  ldb: ldb_trace_response: ENTRY
  dn: CN=Administrator,CN=Users,DC=ar43i2,DC=qa
  [...]
  memberOf: CN=Schema Admins,CN=Groups,DC=ar43i2,DC=qa
  memberOf: CN=Enterprise Admins,CN=Groups,DC=ar43i2,DC=qa
  memberOf: CN=Group Policy Creator Owners,CN=Groups,DC=ar43i2,DC=qa
  memberOf: CN=Administrators,CN=Builtin,DC=ar43i2,DC=qa
  memberOf: CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa
  [...]
  whenChanged: 20180426151320.0Z
  primaryGroupID: 512
  uSNChanged: 3737
  [...]
=======================================================================


And I can reproduce this without installing the S4-Connector. I reverted the VM and just did steps 1, 2 and 3 above:

1. No Samba/AD installed during setup
2. univention-install univention-samba4
3. samba-tool dbcheck -> No errors
=======================================================================
root@master50:~# samba-tool dbcheck
Checking 208 objects
Checked 208 objects (0 errors)

root@master50:~# ldbmodify -H /var/lib/samba/private/sam.ldb <<%EOF
> dn: CN=Administrator,CN=Users,DC=ar43i2,DC=qa
> changetype: modify
> replace: primaryGroupID
> primaryGroupID: 512
> %EOF
Modified 1 records successfully

root@master50:~# samba-tool dbcheck
Checking 208 objects
ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Groups,DC=ar43i2,DC=qa - <GUID=0145e77d-e05d-4c50-9dba-cc3a7a5d9e1b>;<RMD_ADDTIME=131692288230000000>;<RMD_CHANGETIME=131692288230000000>;<RMD_FLAGS=0>;<RMD_INVOCID=e2f2e0c7-0afc-4e7a-9fd7-4c3ccdefc246>;<RMD_LOCAL_USN=3720>;<RMD_ORIGINATING_USN=3720>;<RMD_VERSION=0>;CN=Administrator,CN=Users,DC=ar43i2,DC=qa
Not fixing SID component mismatch
Please use --fix to fix these errors
Checked 208 objects (1 errors)
=======================================================================

Comment 5 Arvid Requate 2018-04-26 18:58:31 CEST

Created attachment 9516 [details]
reproducer-for-incorrect-DN-SID-component-for-member.sh

Simple reproducer script, triggers the error in UCS 4.3, 4.2 and 4.1-5 (i.e. at least since Samba 4.5.1).

Comment 6 Arvid Requate 2018-05-03 22:44:53 CEST

I could also reproduce an advanced variation of this which is unfixable for dbcheck, just by changing the primaryGroupID back to the original value. I've posted a corresponding reproducer script to the upstream bug.

My first attempt to avoid the missing SID component by slightly adjusting the source code of the "samldb_prim_group_change" function in the samldb.c module failed. The interaction of the ldb modules and controls looks a bit tricky.

Comment 7 Erik Damrose 2018-06-11 12:14:54 CEST

Still reproducible with UCS 4.3-1e112. I find it very irritating that the system state is inconsistent after installing the app on a just installed UCS.

Comment 8 Arvid Requate 2018-06-20 15:44:16 CEST

SVN: patches/samba/4.3-0-0-ucs/2:4.7.5-1-errata4.3-1/90_bug45982-samba-tool-dbcheck-continue-if-modify-fails.quilt

fea394038f | Advisory

Comment 9 Felix Botner 2018-06-20 18:08:47 CEST

OK - yaml (4.3-1-errata. 4.3-0-errata)
OK - reproducer
OK - dbcheck (continue even if a fix fails)

Comment 10 Erik Damrose 2018-06-27 14:37:23 CEST

<http://errata.software-univention.de/ucs/4.3/120.html>