samba - Feb 2024 - samba-tool ldapcmp: LDAP error 32 LDAP_NO_SUCH_OBJECT

Hi all,

can someone confirm if `samba-tool ldapcmp` causes problems with special
characters like `?` or maybe Umlauts in the CN?

```
  % samba-tool ldapcmp --use-kerberos=required ldap://dc01.ag.example.com
ldap://dc02.ag.example.com
    
    * Comparing [DOMAIN] context...
    
    * Objects to be compared: 1533
    LdbError for dn CN=M GR?SS,CN=USERS,DC=AG,DC=example,DC=COM: (32, 'LDAP
error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error retrieving instanceType for
base. at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>')
    LdbError for dn CN=I F?SSL,CN=USERS,DC=AG,DC=example,DC=COM: (32, 'LDAP
error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error retrieving instanceType for
base. at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>')
    LdbError for dn CN=T AUSSERHOFER,CN=USERS,DC=AG,DC=example,DC=COM: (32,
'LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error retrieving
instanceType for base. at
../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>')
    
    * Result for [DOMAIN]: SUCCESS
    [...]
  
  % samba-tool -V
  4.17.12-Debian
  
  % lsb_release -a
  No LSB modules are available.
  Distributor ID: Debian
  Description:    Debian GNU/Linux 12 (bookworm)
  Release:        12
  Codename:       bookworm
```

Running `ldbsearch` on dc01 and dc02 does not show anything suspicious. Called
like this (JFTR):

``
  % ldbsearch -H ldap://dc01.ag.example.com --use-kerberos required 
'(&(objectclass=person)(sAMAccountName=ifoessl))'
  [...]

  % ldbsearch -H ldap://dc02.ag.example.com --use-kerberos required 
'(&(objectclass=person)(sAMAccountName=ifoessl))'
  [...]
```

Anything else I should/can investigate?

Thanks,
 - Darsha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20240206/b4d9fd9f/OpenPGP_signature.sig>

Addendum:
> [...]
> ```
>   % samba-tool ldapcmp --use-kerberos=required ldap://dc01.ag.example.com
ldap://dc02.ag.example.com
>
>     * Comparing [DOMAIN] context...
>
>     * Objects to be compared: 1533
>     LdbError for dn CN=M GR?SS,CN=USERS,DC=AG,DC=example,DC=COM: (32,
'LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error retrieving
instanceType for base. at
../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>')
>     LdbError for dn CN=I F?SSL,CN=USERS,DC=AG,DC=example,DC=COM: (32,
'LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error retrieving
instanceType for base. at
../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>')
>     LdbError for dn CN=T AUSSERHOFER,CN=USERS,DC=AG,DC=example,DC=COM: (32,
'LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error retrieving
instanceType for base. at
../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>')>
[...]> ```
>
> [...]
>
> Running `ldbsearch` on dc01 and dc02 does not show anything suspicious.
Called like this (JFTR):
>
> ``
>   % ldbsearch -H ldap://dc01.ag.example.com --use-kerberos required 
'(&(objectclass=person)(sAMAccountName=ifoessl))'
>   [...]
>
>   % ldbsearch -H ldap://dc02.ag.example.com --use-kerberos required 
'(&(objectclass=person)(sAMAccountName=ifoessl))'
>   [...]
> ```
I didn't notice this at first: not only are these the only objects
with a "?" in the CN (so umlauts are not a problem), but ldapcmp shows
double s (SS) in capital letters instead of a ?.

Could it be that making the strings uppercase (via ldapcmp) is causing the
problem?

```
  % ldbsearch -H ldap://dc01 --use-kerberos required 
'(&(objectclass=person))' | grep "?"
  dn: CN=T Au?erhofer,CN=Users,DC=ag,DC=example,DC=com
  dn: CN=M Gr??,CN=Users,DC=ag,DC=example,DC=com
  dn: CN=I F??l,CN=Users,DC=ag,DC=example,DC=com
```

(Also note that I replaced the real domain with "example", but did not
make it uppercase in the output above).

Regards,
 - Darsha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20240206/f0d1c267/OpenPGP_signature.sig>