samba - May 2016 - No such Base DN: CN=Produktion A-Studio (alt?), CN=Users, DC=srg2, DC=local / RSAT

2016-05-26 13:51 GMT+02:00 mathias dufresne <infractory at gmail.com>:
> Parenthesis are not yet a good idea with Samba. A colleague created users
> with parenthesis in CN field and we just can't use ldbsearch to look
for
> them, as long as we set parenthesis in LDAP filter. We must use wildcard to
> avoid the bug (bug because we can use escaped parenthesis in filters with
> ldapsearch, I can be totally wrong but I do believe if ldapsearch permit
> parenthesis the protocol permit it. I insist: no idea who's right
between
> Samba and ldapsearch).
>
Stupid me!

https://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx

So we can simply replace parenthesis and others special characters with
necessary codes. Some MS behaviour well reproduced, not a bug, mea culpa : )


>
> So I would try to remove parenthesis from CN=Produktion A-Studio (alt?).
> In fact I would also remove "?" as it is used as wildcard in lot
of stuffs
> and could easily by source of issue(s).
>
> How to proceed as you can't delete it?
> First for convenience and if you like nano (nobody's perfect ;p ) you
can
> "export EDITOR=/path/to/your/nano" to avoid "-e nano"
on command line. Add
> that export to your .bashrc and others apps needed an editor would have a
> change to use nano too.
>
> Back to ldbedit:
> ldbedit -H $sam
> 'CN=Guest,CN=Users,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr'
> no matching records - cannot edit
>
> Damned! Why? ldbedit is not working with DN as do ldbdel but use searches
> as do most of tools. The right way to use is:
> ldbedit -H $sam 'CN=Guest' -b
> 'CN=Users,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr'
> # 0 adds  0 modifies  0 deletes
>
> What's the difference?
> I've added "-b" switch to tell ldbedit where to start its
search:
> 'CN=Users,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr'
> And I specified some filter to retrieve a bunch of objects into the branch
> I specified:
> 'CN=Guest'
>
> Your command would be:
> ldbedit -e nano -H /var/db/system/samba4/private/sam.ldb -b
> "CN=Users,DC=srg2,DC=local" "CN=Produktion A-Studio
(alt?)"
>
> Hoping this could help you to get a solution,
>
> mathias
>
> 2016-05-26 11:44 GMT+02:00 Niels Dettenbach <nd at syndicat.com>:
>
>> Hi colleagues,
>>
>>
>> it seems i've hit a bug in SAMBA as follows:
>>
>> The local windows network admin of our local radio station filled /
>> transferred some user account data into our new FreeNAS by the Win
RSAT.
>> We are setting up SAMBA as a PDC incl. directory service and use the
>> current stable FreeNAS with its current SAMBA
"4.3.6-GIT-UNKNOWN"
>>
>> One account name
>>
>>         "produktion-a"
>>
>> resulted in some "weird" chars within the CN string:
>>
>>         CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local
>>
>>  which seems to make further problems - i.e. the records inaccessible
by
>> samba-tool and ldbedit:
>>
>>
>> ~# samba-tool dbcheck --fix
>> Checking 448 objects
>> ERROR: incorrect GUID component for member in object
>> CN=redaktion,CN=Users,DC=srg2,DC=local -
>>
<GUID=35115b3b-264b-431f-a8a0-e2812d434fde>;<SID=S-1-5-21-3768878909-3194017282-2874830551-1170>;CN=Produktion
>> A-Studio (alt?),CN=Users,DC=srg2,DC=local
>> unable to find object for DN CN=Produktion A-Studio
>> (alt?),CN=Users,DC=srg2,DC=local - (No such Base DN: CN=Produktion
A-Studio
>> (alt?),CN=Users,DC=srg2,DC=local)
>> Not removing dangling forward link
>> ERROR: incorrect GUID component for member in object
>> CN=freie,CN=Users,DC=srg2,DC=local -
>>
<GUID=35115b3b-264b-431f-a8a0-e2812d434fde>;<SID=S-1-5-21-3768878909-3194017282-2874830551-1170>;CN=Produktion
>> A-Studio (alt?),CN=Users,DC=srg2,DC=local
>> unable to find object for DN CN=Produktion A-Studio
>> (alt?),CN=Users,DC=srg2,DC=local - (No such Base DN: CN=Produktion
A-Studio
>> (alt?),CN=Users,DC=srg2,DC=local)
>> Not removing dangling forward link
>> ERROR: incorrect GUID component for member in object
>> CN=radioclient,CN=Users,DC=srg2,DC=local -
>>
<GUID=35115b3b-264b-431f-a8a0-e2812d434fde>;<SID=S-1-5-21-3768878909-3194017282-2874830551-1170>;CN=Produktion
>> A-Studio (alt?),CN=Users,DC=srg2,DC=local
>> unable to find object for DN CN=Produktion A-Studio
>> (alt?),CN=Users,DC=srg2,DC=local - (No such Base DN: CN=Produktion
A-Studio
>> (alt?),CN=Users,DC=srg2,DC=local)
>> Not removing dangling forward link
>> Checked 448 objects (3 errors)
>>
>> Automatic fixing seems not possible so far....
>>
>> I tried to recreate and delete the user "produktion-a" by
samba-tool and
>> clean / get it work with ldbedit (incl. "--relax" option) -
i.e.:
>>
>>         - changing all occurences of "Produktion A-Studio
(alt?)" into
>> "Produktion A-Studio alt"
>>         - deleting all existing occurences of this user (user record,
>> membership records)
>>
>> and get errors like:
>>
>> ~#ldbedit --relax -e nano -H /var/db/system/samba4/private/sam.ldb
>> failed to delete CN=Produktion A-Studio
(alt?),CN=Users,DC=srg2,DC=local
>> - No such Base DN: CN=Produktion A-Studio
(alt?),CN=Users,DC=srg2,DC=local
>>
>> ~# ldbedit -e nano -H /var/db/system/samba4/private/sam.ldb --cross-ncs
>> "CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local"
>> no matching records - cannot edit
>>
>> For me it seems as the "?" or "()" in the
identifier strings are breaking
>> some kind of policies (if so they did not had to be accepted) and/or
make
>> it impossible to find / select the record and/or breaks references
within
>> the DB.
>>
>> How can i reach that orphan records to get them out / cleaned?
>>
>> Many thanks for any help / hint.
>>
>>
>>
>> Niels.
>>
>> i.A.
>> StadtRadio Göttingen 107,1 MHz
>> http://www.stadtradio-goettingen.de
>>
>> --
>>  ---
>>  Niels Dettenbach
>>  Syndicat IT & Internet
>>  http://www.syndicat.com
>>  PGP: https://syndicat.com/pub_key.asc
>>  ---
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

Am Donnerstag, 26. Mai 2016, 17:35:15 schrieben Sie:
> > So I would try to remove parenthesis from CN=Produktion A-Studio
(alt?).
> > In fact I would also remove "?" as it is used as wildcard in
lot of stuffs
> > and could easily by source of issue(s).
This was what i tried different ways - even fiddeling with ldbedit over the 
full db dump. For me it seems the "" or ? was "confusing"
the sam.ldb or
ldbedit / db index / recefernces ß)
> Your command would be:
> ldbedit -e nano -H /var/db/system/samba4/private/sam.ldb -b
> "CN=Users,DC=srg2,DC=local" "CN=Produktion A-Studio
(alt?)"
Many thanks, will give it a try tomorrow morning - would be nice if it eat 
that...

many thanks so far - will give some status if/when done.


Niels.

-- 
 ---
 Niels Dettenbach
 Syndicat IT & Internet
 http://www.syndicat.com
 PGP: https://syndicat.com/pub_key.asc
 ---
 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160526/941888f7/signature.sig>

Am Donnerstag, 26. Mai 2016, 17:35:15 schrieben Sie:
> Stupid me!
> 
> https://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx
> 
> So we can simply replace parenthesis and others special characters with
> necessary codes. Some MS behaviour well reproduced, not a bug, mea culpa :
)
chrrr - Ok, 
does it mean i can try the subsitute char codes instead too in my string - 

	like "\29 alt?\29"

or similiar? Or is this conversion to do vice versa?  Will definitely check 
that too. if plain "()" is not working... 

Many thanks!



Niels.
-- 
 ---
 Niels Dettenbach
 Syndicat IT & Internet
 http://www.syndicat.com
 PGP: https://syndicat.com/pub_key.asc
 ---
 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160526/c68205d2/signature.sig>

I did a working search using the follwoing:
ldbsearch -H $sam "cn=blablabla \28Join\29"

Of course $sam contains the path to the right sam.ldb but you already knew
that ;)

2016-05-26 17:53 GMT+02:00 Niels Dettenbach <nd at syndicat.com>:
> Am Donnerstag, 26. Mai 2016, 17:35:15 schrieben Sie:
> > Stupid me!
> >
> > https://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx
> >
> > So we can simply replace parenthesis and others special characters
with
> > necessary codes. Some MS behaviour well reproduced, not a bug, mea
culpa
> : )
> chrrr - Ok,
> does it mean i can try the subsitute char codes instead too in my string -
>
>         like "\29 alt?\29"
>
> or similiar? Or is this conversion to do vice versa?  Will definitely check
> that too. if plain "()" is not working...
>
> Many thanks!
>
>
>
> Niels.
> --
>  ---
>  Niels Dettenbach
>  Syndicat IT & Internet
>  http://www.syndicat.com
>  PGP: https://syndicat.com/pub_key.asc
>  ---
>
>
>
>
>