[Samba] samba-tool ldapcmp: LDAP error 32 LDAP_NO_SUCH_OBJECT

Darshaka Pathirana dpat at syn-net.org
Tue Feb 6 15:29:52 UTC 2024 

Addendum:

> [...]
> ```
>   % samba-tool ldapcmp --use-kerberos=required ldap://dc01.ag.example.com ldap://dc02.ag.example.com
>
>     * Comparing [DOMAIN] context...
>
>     * Objects to be compared: 1533
>     LdbError for dn CN=M GRÖSS,CN=USERS,DC=AG,DC=example,DC=COM: (32, 'LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error retrieving instanceType for base. at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>')
>     LdbError for dn CN=I FÖSSL,CN=USERS,DC=AG,DC=example,DC=COM: (32, 'LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error retrieving instanceType for base. at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>')
>     LdbError for dn CN=T AUSSERHOFER,CN=USERS,DC=AG,DC=example,DC=COM: (32, 'LDAP error 32 LDAP_NO_SUCH_OBJECT -  <acl_read: Error retrieving instanceType for base. at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:967> <>')> [...]> ```
>
> [...]
>
> Running `ldbsearch` on dc01 and dc02 does not show anything suspicious. Called like this (JFTR):
>
> ``
>   % ldbsearch -H ldap://dc01.ag.example.com --use-kerberos required  '(&(objectclass=person)(sAMAccountName=ifoessl))'
>   [...]
>
>   % ldbsearch -H ldap://dc02.ag.example.com --use-kerberos required  '(&(objectclass=person)(sAMAccountName=ifoessl))'
>   [...]
> ```

I didn't notice this at first: not only are these the only objects
with a "ß" in the CN (so umlauts are not a problem), but ldapcmp shows
double s (SS) in capital letters instead of a ß.

Could it be that making the strings uppercase (via ldapcmp) is causing the problem?

```
  % ldbsearch -H ldap://dc01 --use-kerberos required  '(&(objectclass=person))' | grep "ß"
  dn: CN=T Außerhofer,CN=Users,DC=ag,DC=example,DC=com
  dn: CN=M Größ,CN=Users,DC=ag,DC=example,DC=com
  dn: CN=I Fößl,CN=Users,DC=ag,DC=example,DC=com
```

(Also note that I replaced the real domain with "example", but did not
make it uppercase in the output above).

Regards,
 - Darsha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20240206/f0d1c267/OpenPGP_signature.sig>

More information about the samba mailing list