Samba AD - multiple objects issue #7286
Description
In a Samba AD database, multiple objects with the same CN (e.g., a user and a machine account) can coexist.
In such cases, the scripts that manage users and groups cannot distinguish between the object types, leading to errors when managing groups.
For example:
# samba-tool group addmembers mygroup myuser
ERROR: Failed to add members ['myuser'] to group "mygroup" - Found multiple results for "myuser":
CN=MYUSER,CN=Computers,DC=ad,DC=test,DC=it
CN=myuser,CN=Users,DC=ad,DC=test,DC=it
To prevent this issue, we can use the --object-types=user option when invoking the addmembers and removemembers commands.
This option filters the search to include only the specified object types:
--object-types=OBJECT_TYPES
Comma separated list of object types. The types are
used to filter the search for the specified members.
Valid values are: user, group, computer,
serviceaccount, contact and all. Default:
user,group,computer
Using this option ensures that only the necessary object type is considered, allowing the command to execute successfully:
# samba-tool group addmembers mygroup myuser --object-types=user
Added members to group mygroup
# samba-tool group removemembers mygroup myuser --object-types=user
Removed members from group mygroup
To resolve this behavior systematically, we should add the --object-types option to the alter-group scripts:
$ diff -u /home/samba1/.config/actions/alter-group/50alter_group{.ori,}
--- /home/samba1/.config/actions/alter-group/50alter_group.ori 2024-12-10 12:44:57.000000000 +0100
+++ /home/samba1/.config/actions/alter-group/50alter_group 2025-01-28 10:45:40.234154227 +0100
@@ -39,8 +39,8 @@
add_members = new_members - old_members
if add_members:
- subprocess.run(sambatool_cmd + ['group', "addmembers", group, ','.join(add_members)], stdout=sys.stderr, check=True, text=True)
+ subprocess.run(sambatool_cmd + ['group', "addmembers", group, ','.join(add_members), '--object-types=user'], stdout=sys.stderr, check=True, text=True)
rem_members = old_members - new_members
if rem_members:
- subprocess.run(sambatool_cmd + ['group', "removemembers", group, ','.join(rem_members)], stdout=sys.stderr, check=True, text=True)
+ subprocess.run(sambatool_cmd + ['group', "removemembers", group, ','.join(rem_members), '--object-types=user'], stdout=sys.stderr, check=True, text=True)
Metadata
Metadata
Assignees
Type
Projects
Status