[Samba] Correcting "incorrect userParameters value on object...." ???
Andrew Bartlett
abartlet at samba.org
Fri Oct 21 10:25:04 UTC 2016
On Thu, 2016-10-20 at 16:43 -0400, Adam Tauno Williams via samba wrote:
> On Thu, 2016-10-20 at 16:28 -0400, Adam Tauno Williams via samba
> wrote:
> >
> > sernet-samba-4.2.14-23.el6.x86_64
> > Errors [on all DCs] related to incorrect userParameters values - on
> > user's that are working. How does one go about
> > rebuilding/correcting
> > this value?
> > [root at larkin28 ~]# samba-tool dbcheck --reset-well-known-acls --fix
> > -
> > -yes
> > Checking 1743 objects
> > ERROR: incorrect userParameters value on object
>
> ... it appears this attribute cannot be edited or deleted via LDAP
> [ADSI Edit]. :(
Yes. As operations over LDAP are meant to be with the 'utf8' version
of the attribute, we banned modification, as we felt that would only
corrupt the record further.
I realise this area is a bit of a debarcle. The tested dbcheck fixes
seem to have done exactly the opposite of what was required, and only
comprehensive multi-protocol tests will untangle this mess. I've
written before about what is required, as we have to get LDAP, SAMR,
NETLOGON and Kerberos (for the PAC) all handling this 'binary data
shoved in a string by a simple cast' data consistently. LDAP is a
particular difficulty as it is traditionally utf8, but encoding binary
data as if it was utf16 to convert to utf8 is not safe or reversible in
general.
Sorry,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list