non-ascii characters in legacyExchangeDN

Andrew Bartlett abartlet at samba.org
Mon Dec 17 14:13:58 MST 2012


On Mon, 2012-12-17 at 17:35 +0000, Bruno Pereira wrote:
> Hello,
> 
> I've a problem to join samba4 (final version) to windows server 2003 R1 
> . I get the following error message:
> ...
> ldb_handler_fold: unable to casefold string [/o=MAILSAMBA/ou=First
> Administrative Group/cn=Recipients/cn=Ext_Fátima_Goncalves]
> Failed to apply records: ../lib/ldb/ldb_tdb/ldb_index.c:1198: Failed to
> re-index legacyExchangeDN in
> CN=Ext_Fátima_Goncalves,OU=CENARIO-C,DC=cena-c,DC=pt- Failed to create
> index key for atribute 'legacyExchangeDN': Unknown error: Operations error
> Failed to commit objects:WERR_GENERAL_FAILURE
> join failed -cleaning up
> ...
> 
> In the samba RC5 happend the same error.
> Someone could help me?

This is very interesting.  What is happening is that we seem to be
unable to upper case the Ext_Fátima_Goncalves part of the DN.  It may be
that the string sent to us is not in fact UTF8 (perhaps it was created
in a national code page?), or something else prevents correct
transformation.

Unlike other strings in Active Directory, this is not handled as a
string by our replication code, so it is not translated between UTF8 and
UTF16 by DRSUAPI.  Also, these posts indicate that this record is meant
to be ASCII (or less) only, probably as a kludge to avoid the issues of
asserting which code page this actually is.

https://social.technet.microsoft.com/forums/en-US/exchangesvrsecuremessaginglegacy/thread/72e74deb-578b-4db4-8afb-0051848999a1
https://social.technet.microsoft.com/Forums/sk/exchange2010/thread/adbf0201-4697-4e17-b701-7c545150df19
https://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/fc373aca-3db2-4aee-a8d7-77e185f23c50/

The issue for us is that without knowing which character set this is in
(and it clearly not being UTF8), how can we obtain or what should be the
canonical form for index comparisons?  (We use upper case as the
canonical form). 

The result is probably much the same as what you see with Exchange
above, that these records don't actually work, just that we error out at
a different layer. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list