samba - Aug 2003 - samba3.0.0rc1 - Problems managing groups with UsrMgr

Dear list,

I have two problems managing groups from Win2kSP2 client using UserManager
for domains.

My Linux user and groups are stored in OpenLDAP using pam_ldap+nss_ldap from
Padl.
Due to the fact that the groups using the ou=Group organizationalUnit, I have
set
in smb.conf the "ldap group suffix = ou=Group" (using ldapsam as
passdb backend).
So the Linux group and the sambaGroupMapping use the same LDAP-Entry.

First problem:
--------------
If I try to delete a group using UsrMgr, I get the message "Access
Denied".
Nevertheless the group and the groupmapping are deleted, because I delete the
hole LDAP-Entry (including the groupmapping) in the "delete group
script".

Therefore, I checked the source and in rpc_server/srv_samr_nt.c I found in which
order samba delete groups:
	1. check, if linux group exists
	2. call the "delete group script"
	3. cehck, if linux group is gone
	4. delete the groupmapping

I think my problem is in step "4. delete the groupmapping". This, of
couse, failed,
because in the "delete group script" I delete the hole LDAP-Entry (the
groupmapping, too).

I don't know if I something misconfigured in samba or in LDAP, but if I
change the
order in rpc_server/srv_samr_nt.c (near line 3860) as follows:
	1. check, if linux group exists
	2. delete the groupmapping
	3. call the "delete group script"
	4. check, if linux group is gone

this works without any error messages. But, I am not sure, whether this is the
right way!?!


Second problem:
---------------
If I try to modify a group using UsrMgr, I get the message "The groupname
could not be found"
(this is a translation from german version). If I add and/or delete a user
to/from a group, the
scripts "delete user from group" and/or "add user to group"
are sucessfully called.
There is no error message, if I change the discription of a group?, too.

Therefore, I checked the source and found this in passdb/pdb_ldap.c (near line
2007):
	if (mods == NULL) {
		DEBUG(4, ("........
		return NT_STATUS_UNSUCCESSFULL;

If I change the return value from NT_STATUS_UNSUCCESSFULL to NT_STATUS_OK,
everything works
fine without any error messages. But, same as above, I am not sure whether this
is the right way!?!

Any comments, notes, help etc. are welcome.

Thank you for your time!


Cheers,

Bjoern