Review on crackname patch

Matthieu Patou mat at
Sun Jul 31 01:20:42 MDT 2011

On 31/07/2011 04:32, Andrew Bartlett wrote:
> On Sun, 2011-07-31 at 01:08 +0400, Matthieu Patou wrote:
>> Hello Metze&  Tridge,
>> Can one of you have a look on the first patch and check the resolution.
>> The problem is that Samba didn't manage without this patch to do a
>> crackname on name that are related to deleted objects.
>> I found this problem when debuging a replication problems on a server
>> with deleted objects.
>> This problem can quite easily be checked:
>> 1) locate the guid of the "Deleted objects container on a Windows DC
>> 2) Run:
>>    python source4/scripting/devel/crackname ip_server -U administrator
>> --name='{objectGUID}'
>> 3) See that Windows return something
>> 4) locate the guid of the "Deleted Objects" on a samba DC
>> 5) Run:
>>    python source4/scripting/devel/crackname ip_server_samba -U
>> administrator --name='{objectGUID2}'
>> 6) See that samba return None + status name not resolved
>> After applying my patch step 5 returns a correct DN.
>> Note: the crackname script is in the second patch.
> I'm quite uncomfortable with the idea of just adding 'show deleted'
> here.  Are we expected to show deleted user account too?
In certain case yes I guess look
python source4/scripting/devel/crackname -U 
administrator%totoTATA321 --name='{84a63b26-681f-421d-b180-6cfe4027e798}'
DRS Handle: 0, 06382937-bd30-4d20-be72-730eabbd7414

The target server here is Windows 2008R2.

I observed this behavior when a W2K3R2 server made a DsReplicaSync to a 
samba server, and it seems that in order to check that the replication 
was ok Windows do a crackname on a deleted object that has been deleted 
recently (that is to say it has a changed usn > highest usn in the 
repsto attribute).

The behavior that I observe is that for the moment windows refuse to 
sync other partition as if it was concidering that the replication of 
the base partition has not worked completely (as the crackname didn't 
work ...).

>    This call is
> at the core of our authentication stack, and only works well if the
> mapping is unique.  That a lookup (say as an NT4 name domain\user) for a
> deleted-and-readded user entry would map to multiple entries (and
> therefore return as not unique) worries me in particular.
Hum I must confess that I add a question of whether I should make it 
broad or restricted, I choose broad because it was late ;-), after more 
tests it seems that restricted to only the DS_UNIQUE_ID_NAME format 
should be good.

See the modified patch.

Matthieu Patou
Samba Team
Private repo;a=summary

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-drsuapi-crackname-search-also-for-deleted-objects.patch
Type: text/x-patch
Size: 1196 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list