From c9d8e96d2b1f12605585c0c2b3a037f9e45fe64c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
Date: Tue, 26 Nov 2024 15:46:02 +0100
Subject: [PATCH] python/samdb: fix group member removal by SID
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Otherwise the removal of groupmembers by SID fails silently, because the
DN does not match the the DN in group member list.

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: BjÃ¶rn Baumbach <bb@sernet.de>
Reviewed-by: Jule Anger <janger@samba.org>
---
 python/samba/samdb.py | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index 96dc9171fd0..596411be9e0 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -387,8 +387,11 @@ lockoutTime: 0
 
         self.transaction_start()
         try:
-            targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
-                                      expression=groupfilter, attrs=['member'])
+            targetgroup = self.search(base=self.domain_dn(),
+                                      scope=ldb.SCOPE_SUBTREE,
+                                      expression=groupfilter,
+                                      controls=["extended_dn:1:1"],
+                                      attrs=['member'])
             if len(targetgroup) == 0:
                 raise Exception('Unable to find group "%s"' % groupname)
             assert(len(targetgroup) == 1)
@@ -405,6 +408,7 @@ changetype: modify
                 if member_base_dn is None:
                     member_base_dn = self.domain_dn()
 
+                membersid = None
                 try:
                     membersid = security.dom_sid(member)
                     targetmember_dn = "<SID=%s>" % str(membersid)
@@ -439,13 +443,33 @@ changetype: modify
                         raise Exception('Unable to find "%s". Operation cancelled.' % member)
                     targetmember_dn = targetmember[0].dn.extended_str(1)
 
-                if add_members_operation is True and (targetgroup[0].get('member') is None or get_bytes(targetmember_dn) not in targetgroup[0]['member']):
+                def _is_member(samdb, group, member_dn, member_sid):
+                    if group.get('member') is None:
+                        return False
+
+                    for m in group.get('member'):
+                        m_ext_dn = ldb.Dn(samdb, str(m))
+                        m_binary_sid = m_ext_dn.get_extended_component("SID")
+                        if m_binary_sid:
+                            m_sid = ndr_unpack(security.dom_sid, m_binary_sid)
+                            if member_sid == m_sid:
+                                return True
+                        if member_dn == str(m_ext_dn):
+                            return True
+
+                    return False
+
+                is_member = _is_member(self,
+                                       targetgroup[0],
+                                       targetmember_dn,
+                                       membersid)
+                if add_members_operation is True and not is_member:
                     modified = True
                     addtargettogroup += """add: member
 member: %s
 """ % (str(targetmember_dn))
 
-                elif add_members_operation is False and (targetgroup[0].get('member') is not None and get_bytes(targetmember_dn) in targetgroup[0]['member']):
+                elif add_members_operation is False and is_member:
                     modified = True
                     addtargettogroup += """delete: member
 member: %s
-- 
2.47.3