samba - Oct 2014 - BUG : ldif "dn" prefixes case sensitivity (and primaryGroupID module)

Hi samba team !

I have found a very strange bug when changing my user's primaryGroupID
with ldif files. The bug is very easy to reproduce :

1) Create a user, create a group, add the user to the group
-------------------------------
~# samba-tool user add stduser
User 'stduser' created successfully

~# samba-tool group add stdgroup
Added group stdgroup

~# samba-tool group addmembers stdgroup stduser
Added members to group stdgroup
-------------------------------

2) Get the group sid, and change the user's primaryGroupID with the dn
prefixes in lower case :
-------------------------------
~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=stduser)' cn
primaryGroupID memberOf
dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
cn: stduser
primaryGroupID: 513
memberOf: CN=stdgroup,CN=Users,DC=my,DC=example,DC=com

~# wbinfo --name-to-sid=stdgroup
S-1-5-21-1691533938-518786298-626738373-3385 SID_DOM_GROUP (2)

~# cat /tmp/chggrp.ldif
dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
changetype: modify
replace: primarygroupid
primarygroupid: 3385

~# ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/chggrp.ldif
Modified 1 records successfully
-------------------------------

3) Now it's impossible to remove the user from the "Domain Users"
group ! And there are errors in the ldb base !
The group membership is one time written with lower case prefixes and
one time with upper case prefixes :
-------------------------------
~# samba-tool group removemembers "Domain Users" stduser
Removed members from group Domain Users

~# samba-tool group listmembers "Domain Users" | grep stduser
stduser

~# samba-tool dbcheck | grep stduser
ERROR: incorrect DN string component for member in object CN=Domain
Users,CN=Users,DC=my,DC=example,DC=com -
<GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com
ERROR: orphaned backlink attribute 'memberOf' in
CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in
CN=Domain Users,CN=Users,DC=my,DC=example,DC=com
-------------------------------

!! If the dn prefixes are written in upper case like below, there are
no problems !!
-------------------------------
~# cat /tmp/chggrp2.ldif
dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
changetype: modify
replace: primarygroupid
primarygroupid: 3385
-------------------------------

The problem occur when the primaryGroupID is changed and when the
"memberOf" attribute need to be added. The case is not checked.

Thanks !

On 08/10/14 16:45, Prunk Dump wrote:
> Hi samba team !
>
> I have found a very strange bug when changing my user's primaryGroupID
> with ldif files. The bug is very easy to reproduce :
>
> 1) Create a user, create a group, add the user to the group
> -------------------------------
> ~# samba-tool user add stduser
> User 'stduser' created successfully
>
> ~# samba-tool group add stdgroup
> Added group stdgroup
>
> ~# samba-tool group addmembers stdgroup stduser
> Added members to group stdgroup
> -------------------------------
>
> 2) Get the group sid, and change the user's primaryGroupID with the dn
> prefixes in lower case :
> -------------------------------
> ~# ldbsearch -H /usr/local/samba/private/sam.ldb '(cn=stduser)' cn
> primaryGroupID memberOf
> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
> cn: stduser
> primaryGroupID: 513
> memberOf: CN=stdgroup,CN=Users,DC=my,DC=example,DC=com
>
> ~# wbinfo --name-to-sid=stdgroup
> S-1-5-21-1691533938-518786298-626738373-3385 SID_DOM_GROUP (2)
>
> ~# cat /tmp/chggrp.ldif
> dn: cn=stduser,cn=Users,dc=my,dc=example,dc=com
> changetype: modify
> replace: primarygroupid
> primarygroupid: 3385
>
> ~# ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/chggrp.ldif
> Modified 1 records successfully
> -------------------------------
>
> 3) Now it's impossible to remove the user from the "Domain
Users"
> group ! And there are errors in the ldb base !
> The group membership is one time written with lower case prefixes and
> one time with upper case prefixes :
> -------------------------------
> ~# samba-tool group removemembers "Domain Users" stduser
> Removed members from group Domain Users
>
> ~# samba-tool group listmembers "Domain Users" | grep stduser
> stduser
>
> ~# samba-tool dbcheck | grep stduser
> ERROR: incorrect DN string component for member in object CN=Domain
> Users,CN=Users,DC=my,DC=example,DC=com -
>
<GUID=a2af069a-8569-4019-9101-1872cccf4ae2>;cn=stduser,cn=Users,dc=my,dc=example,dc=com
> ERROR: orphaned backlink attribute 'memberOf' in
> CN=stduser,CN=Users,DC=my,DC=example,DC=com for link member in
> CN=Domain Users,CN=Users,DC=my,DC=example,DC=com
> -------------------------------
>
> !! If the dn prefixes are written in upper case like below, there are
> no problems !!
> -------------------------------
> ~# cat /tmp/chggrp2.ldif
> dn: CN=stduser,CN=Users,DC=my,DC=example,DC=com
> changetype: modify
> replace: primarygroupid
> primarygroupid: 3385
> -------------------------------
>
> The problem occur when the primaryGroupID is changed and when the
> "memberOf" attribute need to be added. The case is not checked.
>
> Thanks !
Hi, why are you trying to remove a user from Domain Users ? I take it 
that you don't want them to access the network etc. If you examine 
**any** AD user, you will not find a 'memberOf' attribute pointing to 
'Domain Users', also you do not add or remove the 'memberOf'
attribute,
AD does this for you when you add/remove a user to/from a group.

You can change a users primarygroupid, but there is little point to this 
and it entails a lot of hassle, I would suggest doing what most people 
do, create a group, add the user to this group and then use ACL's to 
restrict access to members of this group on any shares etc.

Rowland