[Samba] issue when upgrading to latest security release 4.14.10 when having multiple consecutive space in DN

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Thu Nov 11 03:56:03 UTC 2021

Hi Denis!

On 11/11/21 6:52 am, Denis CARDON via samba wrote:
> Hi everyone,
> we have had this issue a few time today with latest 4.14 when upgrading 
> client installations, so I thought it might be of interest for some of you 
> all (I didn't have time to check if it was latest 4.14.10 or if it 
> happened in some earlier version).
> If you have DN strings with consecutive space characters (yeah, it 
> shouldn't happen, but if one can do it, it will be done), then the upgrade 
> will break a few things.

That might be related to the fixes for
https://bugzilla.samba.org/show_bug.cgi?id=14656 and
https://bugzilla.samba.org/show_bug.cgi?id=14044 which are in 4.15, but 
were not previously backported.

The intention was always to collapse internal spaces, but being broken may 
in fact have been correct, or sometimes correct.


> In the replication you'll get this kind of error message :
> [2021/11/10 15:15:33.150632,  1] 
> ../../source4/dsdb/repl/replicated_objects.c:904(dsdb_replicated_objects_commit) 
>    Failed to apply records: operational_search_post_process failed for 
> attribute 'parentGUID' - No such Base DN: CN=USERNAME  Romain,OU=Sync 
> Azure,DC=mydomain,DC=lan: Operations error
> [2021/11/10 15:15:33.150754,  0] 
> ../../source4/dsdb/repl/drepl_out_helpers.c:1184(dreplsrv_op_pull_source_apply_changes_trigger) 
> If you try a samba-tool dbcheck --cross-ncs, you'll may get this kind of 
> error :
> ERROR: Object CN=USERNAME  Romain,OU=Sync Azure,DC=mydomain,DC=lan 
> disappeared during check
> Another symptom is that the search with an attribute (like samba-tool user 
> show dcardon) does work, but a ldbsearch with a DN like below (beware of 
> the two spaces) does not work
> 'CN=denis  cardon,OU=test,DC=test,DC=lan'
> If you have this case, a reindex should fix it (it need to be run on each DC)
> samba-tool dbcheck --reindex
> Another option is to fix this before upgrade, or if it is already 
> upgraded, downgrade, fix and then upgrade.
> If you have the case where you have two quasi-identical entries, one with 
> two space and one with only one (ie CN=denis cardon, and CN=denis cardon), 
> then you have to delete one of them before re-indexing (yeah we have seen 
> this one today also).
> There seems to be a discrepancy in the way multiple spaces are handled in 
> the index and in the DN string itself.
> Note : if you recreate an entry with multiple consecutive spaces after 
> upgrade it seems to work though...
> Happy upgrading, cheers to the Samba team for all the great work, and 
> happy holiday for everyone here in France!
> Denis

More information about the samba mailing list