Darshaka Pathirana
2024-Feb-06 11:39 UTC
[Samba] samba-tool ldapcmp: LDAP error 32 LDAP_NO_SUCH_OBJECT
Hi all, can someone confirm if `samba-tool ldapcmp` causes problems with special characters like `?` or maybe Umlauts in the CN? ``` % samba-tool ldapcmp --use-kerberos=required ldap://dc01.ag.example.com ldap://dc02.ag.example.com * Comparing [DOMAIN] context... * Objects to be compared: 1533 LdbError for dn CN=M GR?SS,CN=USERS,DC=AG,DC=example,DC=COM: (32, 'LDAP error 32 LDAP_NO_SUCH_OBJECT - <acl_read: Error retrieving instanceType for base. at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>') LdbError for dn CN=I F?SSL,CN=USERS,DC=AG,DC=example,DC=COM: (32, 'LDAP error 32 LDAP_NO_SUCH_OBJECT - <acl_read: Error retrieving instanceType for base. at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>') LdbError for dn CN=T AUSSERHOFER,CN=USERS,DC=AG,DC=example,DC=COM: (32, 'LDAP error 32 LDAP_NO_SUCH_OBJECT - <acl_read: Error retrieving instanceType for base. at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>') * Result for [DOMAIN]: SUCCESS [...] % samba-tool -V 4.17.12-Debian % lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 12 (bookworm) Release: 12 Codename: bookworm ``` Running `ldbsearch` on dc01 and dc02 does not show anything suspicious. Called like this (JFTR): `` % ldbsearch -H ldap://dc01.ag.example.com --use-kerberos required '(&(objectclass=person)(sAMAccountName=ifoessl))' [...] % ldbsearch -H ldap://dc02.ag.example.com --use-kerberos required '(&(objectclass=person)(sAMAccountName=ifoessl))' [...] ``` Anything else I should/can investigate? Thanks, - Darsha -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20240206/b4d9fd9f/OpenPGP_signature.sig>
Darshaka Pathirana
2024-Feb-06 15:29 UTC
[Samba] samba-tool ldapcmp: LDAP error 32 LDAP_NO_SUCH_OBJECT
Addendum:> [...] > ``` > % samba-tool ldapcmp --use-kerberos=required ldap://dc01.ag.example.com ldap://dc02.ag.example.com > > * Comparing [DOMAIN] context... > > * Objects to be compared: 1533 > LdbError for dn CN=M GR?SS,CN=USERS,DC=AG,DC=example,DC=COM: (32, 'LDAP error 32 LDAP_NO_SUCH_OBJECT - <acl_read: Error retrieving instanceType for base. at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>') > LdbError for dn CN=I F?SSL,CN=USERS,DC=AG,DC=example,DC=COM: (32, 'LDAP error 32 LDAP_NO_SUCH_OBJECT - <acl_read: Error retrieving instanceType for base. at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>') > LdbError for dn CN=T AUSSERHOFER,CN=USERS,DC=AG,DC=example,DC=COM: (32, 'LDAP error 32 LDAP_NO_SUCH_OBJECT - <acl_read: Error retrieving instanceType for base. at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>')> [...]> ``` > > [...] > > Running `ldbsearch` on dc01 and dc02 does not show anything suspicious. Called like this (JFTR): > > `` > % ldbsearch -H ldap://dc01.ag.example.com --use-kerberos required '(&(objectclass=person)(sAMAccountName=ifoessl))' > [...] > > % ldbsearch -H ldap://dc02.ag.example.com --use-kerberos required '(&(objectclass=person)(sAMAccountName=ifoessl))' > [...] > ```I didn't notice this at first: not only are these the only objects with a "?" in the CN (so umlauts are not a problem), but ldapcmp shows double s (SS) in capital letters instead of a ?. Could it be that making the strings uppercase (via ldapcmp) is causing the problem? ``` % ldbsearch -H ldap://dc01 --use-kerberos required '(&(objectclass=person))' | grep "?" dn: CN=T Au?erhofer,CN=Users,DC=ag,DC=example,DC=com dn: CN=M Gr??,CN=Users,DC=ag,DC=example,DC=com dn: CN=I F??l,CN=Users,DC=ag,DC=example,DC=com ``` (Also note that I replaced the real domain with "example", but did not make it uppercase in the output above). Regards, - Darsha -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20240206/f0d1c267/OpenPGP_signature.sig>