Denis CARDON
2021-Nov-10 17:52 UTC
[Samba] issue when upgrading to latest security release 4.14.10 when having multiple consecutive space in DN
Hi everyone, we have had this issue a few time today with latest 4.14 when upgrading client installations, so I thought it might be of interest for some of you all (I didn't have time to check if it was latest 4.14.10 or if it happened in some earlier version). If you have DN strings with consecutive space characters (yeah, it shouldn't happen, but if one can do it, it will be done), then the upgrade will break a few things. In the replication you'll get this kind of error message : [2021/11/10 15:15:33.150632, 1] ../../source4/dsdb/repl/replicated_objects.c:904(dsdb_replicated_objects_commit) Failed to apply records: operational_search_post_process failed for attribute 'parentGUID' - No such Base DN: CN=USERNAME Romain,OU=Sync Azure,DC=mydomain,DC=lan: Operations error [2021/11/10 15:15:33.150754, 0] ../../source4/dsdb/repl/drepl_out_helpers.c:1184(dreplsrv_op_pull_source_apply_changes_trigger) If you try a samba-tool dbcheck --cross-ncs, you'll may get this kind of error : ERROR: Object CN=USERNAME Romain,OU=Sync Azure,DC=mydomain,DC=lan disappeared during check Another symptom is that the search with an attribute (like samba-tool user show dcardon) does work, but a ldbsearch with a DN like below (beware of the two spaces) does not work 'CN=denis cardon,OU=test,DC=test,DC=lan' If you have this case, a reindex should fix it (it need to be run on each DC) samba-tool dbcheck --reindex Another option is to fix this before upgrade, or if it is already upgraded, downgrade, fix and then upgrade. If you have the case where you have two quasi-identical entries, one with two space and one with only one (ie CN=denis cardon, and CN=denis cardon), then you have to delete one of them before re-indexing (yeah we have seen this one today also). There seems to be a discrepancy in the way multiple spaces are handled in the index and in the DN string itself. Note : if you recreate an entry with multiple consecutive spaces after upgrade it seems to work though... Happy upgrading, cheers to the Samba team for all the great work, and happy holiday for everyone here in France! Denis
Douglas Bagnall
2021-Nov-11 03:56 UTC
[Samba] issue when upgrading to latest security release 4.14.10 when having multiple consecutive space in DN
Hi Denis! On 11/11/21 6:52 am, Denis CARDON via samba wrote:> Hi everyone, > > we have had this issue a few time today with latest 4.14 when upgrading > client installations, so I thought it might be of interest for some of you > all (I didn't have time to check if it was latest 4.14.10 or if it > happened in some earlier version). > > If you have DN strings with consecutive space characters (yeah, it > shouldn't happen, but if one can do it, it will be done), then the upgrade > will break a few things.That might be related to the fixes for https://bugzilla.samba.org/show_bug.cgi?id=14656 and https://bugzilla.samba.org/show_bug.cgi?id=14044 which are in 4.15, but were not previously backported. The intention was always to collapse internal spaces, but being broken may in fact have been correct, or sometimes correct. cheers, Douglas> In the replication you'll get this kind of error message : > > [2021/11/10 15:15:33.150632,? 1] > ../../source4/dsdb/repl/replicated_objects.c:904(dsdb_replicated_objects_commit) > > ? Failed to apply records: operational_search_post_process failed for > attribute 'parentGUID' - No such Base DN: CN=USERNAME? Romain,OU=Sync > Azure,DC=mydomain,DC=lan: Operations error > [2021/11/10 15:15:33.150754,? 0] > ../../source4/dsdb/repl/drepl_out_helpers.c:1184(dreplsrv_op_pull_source_apply_changes_trigger) > > > If you try a samba-tool dbcheck --cross-ncs, you'll may get this kind of > error : > > ERROR: Object CN=USERNAME? Romain,OU=Sync Azure,DC=mydomain,DC=lan > disappeared during check > > Another symptom is that the search with an attribute (like samba-tool user > show dcardon) does work, but a ldbsearch with a DN like below (beware of > the two spaces) does not work > 'CN=denis? cardon,OU=test,DC=test,DC=lan' > > If you have this case, a reindex should fix it (it need to be run on each DC) > samba-tool dbcheck --reindex > > Another option is to fix this before upgrade, or if it is already > upgraded, downgrade, fix and then upgrade. > > If you have the case where you have two quasi-identical entries, one with > two space and one with only one (ie CN=denis cardon, and CN=denis cardon), > then you have to delete one of them before re-indexing (yeah we have seen > this one today also). > > There seems to be a discrepancy in the way multiple spaces are handled in > the index and in the DN string itself. > > Note : if you recreate an entry with multiple consecutive spaces after > upgrade it seems to work though... > > Happy upgrading, cheers to the Samba team for all the great work, and > happy holiday for everyone here in France! > > Denis > > > > > > >