Managing DNs in libads only in utf8

simo idra at
Tue Feb 27 15:47:13 GMT 2007

On Tue, 2007-02-27 at 09:26 -0600, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Simo,
> >> * I don't want to use an elephant gun to swat a fly.
> >>   In other words, the amount of pain we suffer from
> >>   the bug allows for a certain amount of currency to
> >>   pay for the size of the change to fix it.
> > 
> > No elefant gun, I did the job of checking every single 
> > use of a DN coming out from libads in less then 6
> > hours while also changing the code. Changing the DN to
> > a struct will make checking for it much easier
> > as the compiler will help find out every single inconsistency 
> > that I may miss by just manually checking.
> I still need an example of how to reproduce the original
> bug before I can review this.

Easiest way:

Set unix charset = ASCII
Create an AD user with a non ASCII character in the DN (you can keep the
pre-Windows2000 name ASCII that doesn't matter).
Add that user to a group.

The user will not be reported as member of that group by nss_winbind
because the utf8->ASCII->utf8 conversion alters the DN.

Change the DN back to be ASCII and as soon as the winbindd cache expires
the user magically appears back as member of the group.


Simo Sorce
Samba Team GPL Compliance Officer
email: idra at

More information about the samba-technical mailing list