Bug 48054 - ERROR: incorrect DN SID component for member in object CN=Domain Users
ERROR: incorrect DN SID component for member in object CN=Domain Users
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Felix Botner
Arvid Requate
https://bugzilla.samba.org/show_bug.c...
:
Depends on: 45982
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-25 12:56 CEST by Arvid Requate
Modified: 2018-11-07 14:33 CET (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.103
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018040621000285, 2018041821000388, 2018062021000389, 2018101221000314
Bug group (optional):
Max CVSS v3 score:


Attachments
connector-s4.log for restore of uid=karsten.loho (632.17 KB, text/x-log)
2018-10-25 12:56 CEST, Arvid Requate
Details
orig 4.8 upstream patch with changes for 4.7 repl_meta_data.c (74.18 KB, patch)
2018-11-06 14:16 CET, Felix Botner
Details | Diff
qa.patch (428 bytes, patch)
2018-11-06 23:21 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-10-25 12:56:47 CEST
Created attachment 9711 [details]
connector-s4.log for restore of uid=karsten.loho

Christina was able to reproduce how customers run into the issue of Bug #45982:

1. Create a user with primary group != "Domain Users"
   (via UMC or UCS@school import)
2. Delete that user (via UMC)
3. Restore that user by following https://wiki.univention.de/index.php/Cool_Solution_-_Restore_LDAP_objects,_attributes_and_memberships 

The restore in OpenLDAP causes the S4-Connector to reanimate the "Deleted Object" in Samba/AD. Since Samba/AD strips all group memberships when marking and account as deleted, the restored object doesn't have any and Samba/AD simply attaches "primaryGroupID: 513" to it as default.

So far so good. Now the S4-Connector comes and checks the group memberships and detects that the primary group needs to be changed (probably primary_group_sync_from_ucs), and then "something" goes haywire, something in the interaction of S4-Connector and Samba/AD causes an invalid new member attribute to be added to "Domain Users", either the S4-Connector adds it or the S4-Connector triggers an ldb module of Samba/AD to add it:

member: <GUID=ba437338-cf88-44a2-9641-e993074ef74f>;<RMD_ADDTIME=131825825110000000>;<RMD_CHANGETIME=131825825110000000>;<RMD_FLAGS=1>;<RMD_INVOCID=1a328642-8e0b-43e8-a60e-fa85868dc8a5>;<RMD_LOCAL_USN=4469>;<RMD_ORIGINATING_USN=4469>;<RMD_VERSION=1>;cn=karsten.loho,cn=schueler,cn=users,ou=licht,DC=schein,DC=me

It's unclear 1. why this membership ends up there and 2. why it's marked with RMD_FLAGS=1 (IIRC this says that the member attribute is the "forward" part of a linked attribute) and 3. why samba-tool dbcheck cannot fix it.


Let's try to solve question 1 to avoid triggering this issue in S4-Connector.


+++ This bug was initially created as a clone of Bug #45982 +++
Comment 1 Christina Scheinig univentionstaff 2018-10-26 11:36:48 CEST
In the meantime it occurs again, that the customer removed and restored some students.
There is a workaround but the script has to be executed after each remove and restore procedure manually.

So the customer needs this issue to be fixed. I will set the waiting support flag.
Comment 2 Christina Scheinig univentionstaff 2018-10-29 11:00:11 CET
In an other school environment, this issue occurs again. This is not comfortable to fix this manually, especially in the event of unexpected occurrences.

We edit the samba backend here, and mistakes can cause unforgivable consequences.
Comment 3 Christina Scheinig univentionstaff 2018-11-02 15:54:09 CET
FYI: This issue occurs in ucsschool environments and the problem itself appears with samba-tool dbcheck
Comment 4 Felix Botner univentionstaff 2018-11-06 14:13:44 CET
backported upstream patch, 

fixed the problem for me

had to slightly modify the repl_meta_data.c patches (rewrite in 4.8)
Comment 5 Felix Botner univentionstaff 2018-11-06 14:16:47 CET
Created attachment 9725 [details]
orig 4.8 upstream patch with changes for 4.7 repl_meta_data.c
Comment 6 Arvid Requate univentionstaff 2018-11-06 23:21:05 CET
Created attachment 9727 [details]
qa.patch

I did a vimdiff of upstream vs you attached patch and found one line where it looks like two function arguments have been swapped.
Comment 7 Felix Botner univentionstaff 2018-11-07 09:34:35 CET
uhh, yes

the original patch is

replmd_update_la_val(new_values, exact->v,
                           dns[i].dsdb_dn,
                           exact->dsdb_dn,
-                          invocation_id, seq_num,
-                          seq_num, now, false);
+                          &ac->our_invocation_id,
+                          ac->seq_num, ac->seq_num,
+                          now, false);


but replmd_update_la_va in 4.7 still has the version parameter 


  static int replmd_update_la_val(TALLOC_CTX *mem_ctx, struct ldb_val *v, 
          struct dsdb_dn *dsdb_dn,
          struct dsdb_dn *old_dsdb_dn, const struct GUID *invocation_id,
          uint64_t seq_num, uint64_t local_usn, NTTIME nttime,
          uint32_t version, bool deleted);

as second last parameter, so this "0, now, false);" is wrong (and all the other replmd_update_la_val calls correctly use "now, 0, true);")

fixed in 99_bug48054.quilt.
Comment 8 Arvid Requate univentionstaff 2018-11-07 13:35:02 CET
Verified:
* Patch fixed
* Package rebuilt
* UCS: functional tests after package update (DRS replication, dbcheck)
* UCS: fixing dbcheck errors reproduced before update with scripts from Bug 45982
* UCS@school: same
* Advisory: Ok, binary package version adjusted.
Comment 9 Arvid Requate univentionstaff 2018-11-07 14:33:47 CET
<http://errata.software-univention.de/ucs/4.3/301.html>