samba - Apr 2017 - Unable to add a particular member to group (Samba 4.6.3)

The user exists in AD:

- I can see the user using 'wbinfo', 'samba-tool user list'

- I can add the user to a group with 'Active Directory Users and 
Computers' in Windows 2008R2

- It's seems impossible to use 'samba-tool group addmembers foogroup 
foouser'

I looked at the user's attributes but can't find anything different from
any other user that works properly.

Any other ideas?


Le 2017-04-25 à 11:50, Rowland Penny via samba a écrit :
> On Tue, 25 Apr 2017 10:36:54 -0400
> Luc Lalonde via samba <samba at lists.samba.org> wrote:
>
>> Hello Folks,
>>
>> I'm getting this strange error when I try to add a particular
member
>> to a group:
>>
>> [root at roquefort admin]# /usr/local/samba/bin/samba-tool group
>> addmembers foogroup foouser
>> ERROR(exception): Failed to add members "foouser" to group
"foogroup"
>> - Unable to find "foouser". Operation cancelled.
>>     File
>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/group.py",
>> line 239, in run
>>       add_members_operation=True)
>>     File
>>
"/usr/local/samba/lib64/python2.6/site-packages/samba/samdb.py", line
>> 274, in add_remove_group_members raise Exception('Unable to find
>> "%s". Operation cancelled.' % member)
>>
>> However, it seems to work for another account:
>>
>> [root at roquefort admin]# /usr/local/samba/bin/samba-tool group
>> addmembers foogroup foouser2
>> Added members to group foogroup
>> [root at roquefort admin]# /usr/local/samba/bin/samba-tool group
>> removemembers foogroup foouser2
>> Removed members from group foogroup
>>
>> Anyone have an idea what's causing this?   I even tried to
re-create
>> the 'foouser' account and I get the same error.
>>
> Does the user exist in AD ?
> If you run 'wbinfo -u | grep foouser' do you get any output ?
> Does 'samba-tool user list | grep foouser' show the user ?
>
> If the user does exist in AD, then I suggest you compare the
'foouser'
> object in AD with the object for 'foouser2'
>
> Rowland
>
-- 
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------

On Tue, 25 Apr 2017 14:31:51 -0400
Luc Lalonde <Luc.Lalonde at polymtl.ca> wrote:
> The user exists in AD:
> 
> - I can see the user using 'wbinfo', 'samba-tool user list'
> 
> - I can add the user to a group with 'Active Directory Users and 
> Computers' in Windows 2008R2
> 
> - It's seems impossible to use 'samba-tool group addmembers
foogroup
> foouser'
> 
> I looked at the user's attributes but can't find anything different
> from any other user that works properly.
> 
> Any other ideas?
The code that is failing (if it is the code) is this:

            for member in members:
                targetmember = self.search(base=self.domain_dn(),
scope=ldb.SCOPE_SUBTREE,
                                   
expression="(|(sAMAccountName=%s)(CN=%s))" % (
                    ldb.binary_encode(member), ldb.binary_encode(member)),
attrs=[])

                if len(targetmember) != 1:
                    raise Exception('Unable to find "%s".
Operation
                    cancelled.' % member)

I have a thought, but can you post the AD object of the failing user,
you can sanitize it if you like, but please keep context

You can send it to me off list, if you would rather not post it online.

Rowland

On Tue, Apr 25, 2017 at 3:31 PM, Luc Lalonde via samba <
samba at lists.samba.org> wrote:
> The user exists in AD:
>
> - I can see the user using 'wbinfo', 'samba-tool user list'
>
> - I can add the user to a group with 'Active Directory Users and
> Computers' in Windows 2008R2
>
> - It's seems impossible to use 'samba-tool group addmembers
foogroup
> foouser'
>
> I looked at the user's attributes but can't find anything different
from
> any other user that works properly.
>
> Any other ideas?
>
>
I have the exact same problem on 4.5.1.  The user I was having a problem
with was deleted and recreated I believe.

Dale

This is the case for this user too...   Could it be that Samba is trying 
to work with the old SID???


Le 2017-04-26 à 10:47, Dale Renton via samba a écrit :
> On Tue, Apr 25, 2017 at 3:31 PM, Luc Lalonde via samba <
> samba at lists.samba.org> wrote:
>
>> The user exists in AD:
>>
>> - I can see the user using 'wbinfo', 'samba-tool user
list'
>>
>> - I can add the user to a group with 'Active Directory Users and
>> Computers' in Windows 2008R2
>>
>> - It's seems impossible to use 'samba-tool group addmembers
foogroup
>> foouser'
>>
>> I looked at the user's attributes but can't find anything
different from
>> any other user that works properly.
>>
>> Any other ideas?
>>
>>
> I have the exact same problem on 4.5.1.  The user I was having a problem
> with was deleted and recreated I believe.
>
> Dale
-- 
Luc Lalonde, analyste
-----------------------------
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------