[Samba] Correcting "incorrect userParameters value on object...." ???

Andrew Bartlett abartlet at samba.org
Fri Oct 21 10:25:04 UTC 2016

On Thu, 2016-10-20 at 16:43 -0400, Adam Tauno Williams via samba wrote:
> On Thu, 2016-10-20 at 16:28 -0400, Adam Tauno Williams via samba
> wrote:
> > 
> > sernet-samba-4.2.14-23.el6.x86_64
> > Errors [on all DCs] related to incorrect userParameters values - on
> > user's that are working.  How does one go about
> > rebuilding/correcting
> > this value?
> > [root at larkin28 ~]# samba-tool dbcheck --reset-well-known-acls --fix 
> > -
> > -yes
> > Checking 1743 objects
> > ERROR: incorrect userParameters value on object
> ... it appears this attribute cannot be edited or deleted via LDAP
> [ADSI Edit]. :(

Yes.  As operations over LDAP are meant to be with the 'utf8' version
of the attribute, we banned modification, as we felt that would only
corrupt the record further.

I realise this area is a bit of a debarcle.  The tested dbcheck fixes
seem to have done exactly the opposite of what was required, and only
comprehensive multi-protocol tests will untangle this mess.  I've
written before about what is required, as we have to get LDAP, SAMR,
NETLOGON and Kerberos (for the PAC) all handling this 'binary data
shoved in a string by a simple cast' data consistently.  LDAP is a
particular difficulty as it is traditionally utf8, but encoding binary
data as if it was utf16 to convert to utf8 is not safe or reversible in


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list