Sometimes I see a big long blob of text regarding "DsCrackNames: Unsupported operation requested" in the logs. I've included a snippet of the lines before and 1 line after. It seems to be triggered by authentication, but only in some cases. [2018/09/04 09:28:58.206900, 3] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2018-09-04T09:28:58.206849+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "NULL", "remoteAddress": "ipv4:xxx.xxx.x.xxx:54024", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "bram@xxxx", "workstation": null, "becameAccount": "bram", "becameDomain": "xxxx", "becameSid": "S-1-5-21-1031326947-955407334-2620008635-1164", "mappedAccount": "bram", "mappedDomain": "xxxx", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "arcfour-hmac-md5"}} [2018/09/04 09:29:00.764880, 3] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[bram@xxxx.NET] at [Tue, 04 Sep 2018 09:29:00.764854 CEST] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:xxx.xxx.x.xxx:54049] became [xxxx]\[bram] [S-1-5-21-1031326947-955407334-2620008635-1164]. local host [NULL] [2018/09/04 09:29:00.765112, 3] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2018-09-04T09:29:00.765022+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "NULL", "remoteAddress": "ipv4:xxx.xxx.x.xxx:54049", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "bram@xxxx.NET", "workstation": null, "becameAccount": "bram", "becameDomain": "xxxx", "becameSid": "S-1-5-21-1031326947-955407334-2620008635-1164", "mappedAccount": "bram", "mappedDomain": "xxxx", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "arcfour-hmac-md5"}} ted: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8../librpc/rpc/dcerpc_util.c:264: ERROR: pad length mismatch. Calculated 44 got 0 [2018/09/04 09:29:19.198001, 3] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [LDAP,simple bind] user [(null)]\[zzzzzzzzzz@xxxx.NET] at [Tue, 04 Sep 2018 09:29:19.197959 CEST] with [Plaintext] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:xxx.xxx.x.10:43036] became [xxxx]\[zzzzzzzzzz] [S-1-5-21-1031326947-955407334-2620008635-4615]. local host [ipv4:xxx.xxx.x.2:389] .. Note: the line really starts with " ted:" (so space space...), this is not a copy-paste error. Hmmm, is this perhaps a problem in the JSON authentication logging (which I have enabled) where someone forgot to nul terminate a string? Just guessing due to the double space prefix. Have not looked at the code.
Is this still happening?
(In reply to Douglas Bagnall from comment #1) what it means is smething is trying to look up an ldap display name in the schema using DsCrackNames, and we don't support that. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/b47debc0-59ee-40e4-ad0f-4bc9f96043b2 Also, yes, we left out a "\n" in the message. And I'm not convinced it needs to be at debug level 0. I don't see how it is related to authentication, but maybe the client likes to do these things together. Other people have had similar messages: https://lists.samba.org/archive/samba/2015-May/191875.html https://lists.samba.org/archive/samba/2018-July/216975.html
I just checked the logs, this last happened on Nov 30, 2022. Right before the message (or part of the message?) and after is a login through radius. Apparently it only happens sporadically or it might have disappeared during upgrades altogether. Not sure.