Samba 4: character encoding issue (was: Samba-tool dbcheck shows "incorrect GUID" after update from alpha17 to beta8)

Sat Oct 6 05:39:19 MDT 2012

-------- Original-Nachricht --------
> Datum: Sat, 06 Oct 2012 19:27:10 +1000
> Von: Andrew Bartlett <abartlet at samba.org>
> An: Michael Wood <esiotrot at gmail.com>
> CC: X-Dimension at gmx.net, samba at lists.samba.org, samba-technical at lists.samba.org
> Betreff: Re: Samba 4: character encoding issue (was: Samba-tool dbcheck shows "incorrect GUID" after update from alpha17 to beta8)

> On Sat, 2012-10-06 at 11:20 +0200, Michael Wood wrote:
> > Hi
> > 
> > On 5 October 2012 21:25,  <X-Dimension at gmx.net> wrote:
> > >
> > > -------- Original-Nachricht --------
> > >> Datum: Thu, 4 Oct 2012 12:22:54 +0200
> > >> Von: Michael Wood <esiotrot at gmail.com>
> > >> An: Julian Timm <X-Dimension at gmx.net>
> > >> CC: samba at lists.samba.org
> > >> Betreff: Re: [Samba] Samba-tool dbcheck shows "incorrect GUID" after
> update from alpha17 to beta8
> > >
> > >> On 4 October 2012 09:46, Julian Timm <X-Dimension at gmx.net> wrote:
> > >> >
> > >> > -------- Original-Nachricht --------
> > >> >> Datum: Wed, 3 Oct 2012 16:56:42 +0200
> > >> >> Von: Michael Wood <esiotrot at gmail.com>
> > >> >> An: X-Dimension at gmx.net
> > >> >> CC: samba at lists.samba.org
> > >> >> Betreff: Re: [Samba] Samba-tool dbcheck shows "incorrect GUID"
> after
> > >> update from alpha17 to beta8
> > >> >
> > >> >> On 3 October 2012 16:26,  <X-Dimension at gmx.net> wrote:
> > >> >> > After updating our Samba4 server from alpha17 to beta8
> "samba-tool
> > >> >> dbcheck" shows 24 "incorrect GUID" errors.
> > >> >> > What does it mean and what should i do to fix this?
> > >> >>
> > >> >> Try samba-tool dbcheck --fix.
> > >> >>
> > >> >> Also, why did you not install rc2 instead of beta8?
> > >> >
> > >> > I don't want to compile every Samba version for myself, so i'm
> using
> > >> > the Zentyal 2.3 PPA. The latest Samba version here is beta8, but
> rc2
> > >> packages are in testing and should be available soon.
> > >> >
> > >> > After running samba-tool dbcheck --fix the errors still exists,
> when
> > >> running dbcheck again.
> > >>
> > >> Try posting the errors to the list and maybe someone will be able to
> > >> say what causes them.
> > >>
> > >> --
> > >> Michael Wood <esiotrot at gmail.com>
> > >
> > > Ok, here is an example:
> > >
> > > ERROR: incorrect GUID component for member in object
> CN=Mitarbeiter,OU=Benutzer,DC=test,DC=lan -
> <GUID=c385ad50-c728-41ba-8b94-22fa07b57b41>;<SID=S-1-5-21-2936403297-3018184044-1011683372-1153>;CN=Max
> MÃ¼ller,OU=Benutzer,DC=test,DC=lan
> > > unable to find object for DN CN=Max
> MÃ¼ller,OU=Benutzer,DC=test,DC=lan - (No such Base DN: CN=Max MÃ¼ller,OU=Benutzer,DC=test,DC=lan)
> > > Not removing dangling forward link
> > >
> > > All of these database errors affecting users who have german umlauts
> > > in their names like Ä,Ö,Ü.
> > > These users are also not shown within the Microsoft RSAT AD manager.
> > > When i add a new user now like "Horst Müller" with the management
> tool, i get the error that the user could not be verified and can't login, but
> RSAT still creates the user.
> > >
> > > Is there a simple way to correct this problem?
> > 
> > I've copied this to the samba-technical list, since the Samba 4 HOWTO
> > still says to report successes/failures there.
> > 
> > The problem does look suspiciously like a character encoding issue.
> 
> On my e-mail client, the german umlauts in the DN show up as other
> characters (1/4 for example).  If the original DN is not utf8, then this
> will fail.  (Because we will be unable to create the canonical form of
> the DN, it will fail to match). 
> 
> Julian, can you confirm if the CN attribute and DN was created using
> only valid UTF8?
> 
> What client or tool was used to create it?
> 
> Thanks,
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> 
> 

Hi Andrew!
How can i test if it uses valid UTF8?

To reproduce the problem, maybe it helps to know the steps I've done so far...

1. Install Ubuntu Server 10.04 LTS

2. Adding Resara-Server PPA and installing Resara-Server (which includes Samba4)
I've started with Resara-Server 1.0 and updated it to the version 1.1.2 which we are using now.

3. Provisioning was done by the RDS-Console tool from Resara
I've used this tool to setup our domain, adding shares, users and DNS entries, but after running into problems when adding users with German umlauts, I've switched to Microsoft RSAT where it was working fine!
So, all users with umlauts was created with RSAT, the RDS-Console don't shows them, but they can login successfully from Windows XP and Windows 7, so i ignored the RDS-Console behavior and only uses RSAT for managing the Samba4 domain from now on.

4. Samba-tool dbcheck shows 0 errors at this point

5. Moving /usr/local/samba/ to /var/lib/samba because we want to use the Zentyal packages in the future, which are using /var/lib/samba instead of /usr/local/samba

6. Remove (apt-get purge) the Resara-Server packages rds, rdssamba4, rdsserver etc

7. Updating from Ubuntu 10.04 to 12.04 by using do-release-update tool

8. Adding Zentyal 2.3 PPA and install Samba 4.0.0 beta 8
(rc2 packages are in experimental stage and should be available soon.
https://launchpad.net/~kernevil/+archive/samba4-experimental)

9. Doing samba_upgradedns to get Bind_DLZ backend to work.

10. Configure Bind to use /var/lib/samba/private/named.conf

11. Samba-tool dbcheck shows 23 errors now, for all users with umlauts and RSAT shows the described error when adding a user with umlauts in his name now. 

Maybe it helps.