samba - Oct 2016 - Correcting "incorrect userParameters value on object...." ???

sernet-samba-4.2.14-23.el6.x86_64

Errors [on all DCs] related to incorrect userParameters values - on
user's that are working.  How does one go about rebuilding/correcting
this value?

[root at larkin28 ~]# samba-tool dbcheck --reset-well-known-acls --fix -
-yes
Checking 1743 objects
ERROR: incorrect userParameters value on object
CN=darrell,OU=Industries Users,DC=example,DC=com.  If you have another
working DC that does not give this warning, please run 'samba-tool drs
replicate --full-sync --local <destinationDC> <sourceDC>
DC=example,DC=com'
ERROR: incorrect userParameters value on object CN=dwoldt,OU=Industries
Users,DC=example,DC=com.  If you have another working DC that does not
give this warning, please run 'samba-tool drs replicate --full-sync -
-local <destinationDC> <sourceDC> DC=example,DC=com'
ERROR: incorrect userParameters value on object
CN=swalker,OU=Industries Users,DC=example,DC=com.  If you have another
working DC that does not give this warning, please run 'samba-tool drs
replicate --full-sync --local <destinationDC> <sourceDC>
DC=example,DC=com'
ERROR: incorrect userParameters value on object
CN=cskinner,OU=Industries Users,DC=example,DC=com.  If you have another
working DC that does not give this warning, please run 'samba-tool drs
replicate --full-sync --local <destinationDC> <sourceDC>
DC=example,DC=com'
ERROR: Not fixing ou='Windows 10 Laptop' on 'OU=Windows 10
laptop,DC=example,DC=com'
ERROR: incorrect userParameters value on object
CN=dcoulas,OU=Industries Users,DC=example,DC=com.  If you have another
working DC that does not give this warning, please run 'samba-tool drs
replicate --full-sync --local <destinationDC> <sourceDC>
DC=example,DC=com'
Checked 1743 objects (6 errors)


-- 
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA

On Thu, 2016-10-20 at 16:28 -0400, Adam Tauno Williams via samba
wrote:
> sernet-samba-4.2.14-23.el6.x86_64
> Errors [on all DCs] related to incorrect userParameters values - on
> user's that are working.  How does one go about rebuilding/correcting
> this value?
> [root at larkin28 ~]# samba-tool dbcheck --reset-well-known-acls --fix -
> -yes
> Checking 1743 objects
> ERROR: incorrect userParameters value on object
... it appears this attribute cannot be edited or deleted via LDAP
[ADSI Edit]. :(

On Thu, 2016-10-20 at 16:43 -0400, Adam Tauno Williams via samba
wrote:
> On Thu, 2016-10-20 at 16:28 -0400, Adam Tauno Williams via samba
> wrote:
> > 
> > sernet-samba-4.2.14-23.el6.x86_64
> > Errors [on all DCs] related to incorrect userParameters values - on
> > user's that are working.  How does one go about
> > rebuilding/correcting
> > this value?
> > [root at larkin28 ~]# samba-tool dbcheck --reset-well-known-acls --fix
> > -
> > -yes
> > Checking 1743 objects
> > ERROR: incorrect userParameters value on object
> 
> ... it appears this attribute cannot be edited or deleted via LDAP
> [ADSI Edit]. :(
Yes.  As operations over LDAP are meant to be with the 'utf8' version
of the attribute, we banned modification, as we felt that would only
corrupt the record further.

I realise this area is a bit of a debarcle.  The tested dbcheck fixes
seem to have done exactly the opposite of what was required, and only
comprehensive multi-protocol tests will untangle this mess.  I've
written before about what is required, as we have to get LDAP, SAMR,
NETLOGON and Kerberos (for the PAC) all handling this 'binary data
shoved in a string by a simple cast' data consistently.  LDAP is a
particular difficulty as it is traditionally utf8, but encoding binary
data as if it was utf16 to convert to utf8 is not safe or reversible in
general.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba