samba - Oct 2016 - Correcting "incorrect userParameters value on object...." ???

On Thu, 2016-10-20 at 16:43 -0400, Adam Tauno Williams via samba
wrote:
> On Thu, 2016-10-20 at 16:28 -0400, Adam Tauno Williams via samba
> wrote:
> > 
> > sernet-samba-4.2.14-23.el6.x86_64
> > Errors [on all DCs] related to incorrect userParameters values - on
> > user's that are working.  How does one go about
> > rebuilding/correcting
> > this value?
> > [root at larkin28 ~]# samba-tool dbcheck --reset-well-known-acls --fix
> > -
> > -yes
> > Checking 1743 objects
> > ERROR: incorrect userParameters value on object
> 
> ... it appears this attribute cannot be edited or deleted via LDAP
> [ADSI Edit]. :(
Yes.  As operations over LDAP are meant to be with the 'utf8' version
of the attribute, we banned modification, as we felt that would only
corrupt the record further.

I realise this area is a bit of a debarcle.  The tested dbcheck fixes
seem to have done exactly the opposite of what was required, and only
comprehensive multi-protocol tests will untangle this mess.  I've
written before about what is required, as we have to get LDAP, SAMR,
NETLOGON and Kerberos (for the PAC) all handling this 'binary data
shoved in a string by a simple cast' data consistently.  LDAP is a
particular difficulty as it is traditionally utf8, but encoding binary
data as if it was utf16 to convert to utf8 is not safe or reversible in
general.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Fri, 2016-10-21 at 23:25 +1300, Andrew Bartlett
wrote:
> > > Checking 1743 objects
> > > ERROR: incorrect userParameters value on object
> > ... it appears this attribute cannot be edited or deleted via LDAP
> > [ADSI Edit]. :(
> comprehensive multi-protocol tests will untangle this mess.  I've
> written before about what is required, as we have to get LDAP, SAMR,
> NETLOGON and Kerberos (for the PAC) all handling this 'binary data
> shoved in a string by a simple cast' data consistently.  LDAP is a
> particular difficulty as it is traditionally utf8, but encoding
> binary data as if it was utf16 to convert to utf8 is not safe or
reversible
> in general.
So there is not way to simply clear/reset this value?

I need to delete and recreate these users? [which is doable, I think]

On Fri, 2016-10-21 at 12:04 -0400, Adam Tauno Williams via samba
wrote:
> On Fri, 2016-10-21 at 23:25 +1300, Andrew Bartlett wrote:
> > > > Checking 1743 objects
> > > > ERROR: incorrect userParameters value on object
> > > ... it appears this attribute cannot be edited or deleted via
> > > LDAP
> > > [ADSI Edit]. :(
> > comprehensive multi-protocol tests will untangle this mess.  I've
> > written before about what is required, as we have to get LDAP,
> > SAMR,
> > NETLOGON and Kerberos (for the PAC) all handling this 'binary data
> > shoved in a string by a simple cast' data consistently.  LDAP is a
> > particular difficulty as it is traditionally utf8, but encoding
> > binary data as if it was utf16 to convert to utf8 is not safe or
> reversible
> > in general.
> So there is not way to simply clear/reset this value?
It appears I have been able to move past this particular error by using
ldapmodify to delete the userParameters attribute.

  dn: CN=$USER,OU=Industries Users,DC=EXAMPLE,DC=COM
  changetype: modify
  delete: userParameters

-- 
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA