Bug 13603 - DsCrackNames: Unsupported operation requested
Summary: DsCrackNames: Unsupported operation requested
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.8.4
Hardware: All All
: P5 minor (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-04 08:13 UTC by Bram Matthys
Modified: 2023-01-09 13:31 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bram Matthys 2018-09-04 08:13:18 UTC
Sometimes I see a big long blob of text regarding "DsCrackNames: Unsupported operation requested" in the logs.
I've included a snippet of the lines before and 1 line after. It seems to be triggered by authentication, but only in some cases.

[2018/09/04 09:28:58.206900,  3] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-09-04T09:28:58.206849+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "NULL", "remoteAddress": "ipv4:xxx.xxx.x.xxx:54024", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "bram@xxxx", "workstation": null, "becameAccount": "bram", "becameDomain": "xxxx", "becameSid": "S-1-5-21-1031326947-955407334-2620008635-1164", "mappedAccount": "bram", "mappedDomain": "xxxx", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "arcfour-hmac-md5"}}
[2018/09/04 09:29:00.764880,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[bram@xxxx.NET] at [Tue, 04 Sep 2018 09:29:00.764854 CEST] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:xxx.xxx.x.xxx:54049] became [xxxx]\[bram] [S-1-5-21-1031326947-955407334-2620008635-1164]. local host [NULL]
[2018/09/04 09:29:00.765112,  3] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-09-04T09:29:00.765022+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "NULL", "remoteAddress": "ipv4:xxx.xxx.x.xxx:54049", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "bram@xxxx.NET", "workstation": null, "becameAccount": "bram", "becameDomain": "xxxx", "becameSid": "S-1-5-21-1031326947-955407334-2620008635-1164", "mappedAccount": "bram", "mappedDomain": "xxxx", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "arcfour-hmac-md5"}}
  ted: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8../librpc/rpc/dcerpc_util.c:264: ERROR: pad length mismatch. Calculated 44  got 0
[2018/09/04 09:29:19.198001,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [LDAP,simple bind] user [(null)]\[zzzzzzzzzz@xxxx.NET] at [Tue, 04 Sep 2018 09:29:19.197959 CEST] with [Plaintext] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:xxx.xxx.x.10:43036] became [xxxx]\[zzzzzzzzzz] [S-1-5-21-1031326947-955407334-2620008635-4615]. local host [ipv4:xxx.xxx.x.2:389]
..

Note: the line really starts with "  ted:" (so space space...), this is not a copy-paste error.

Hmmm, is this perhaps a problem in the JSON authentication logging (which I have enabled) where someone forgot to nul terminate a string? Just guessing due to the double space prefix. Have not looked at the code.
Comment 1 Douglas Bagnall 2023-01-05 23:28:27 UTC
Is this still happening?
Comment 2 Douglas Bagnall 2023-01-06 05:07:03 UTC
(In reply to Douglas Bagnall from comment #1)
what it means is smething is trying to look up an ldap display name in the schema using DsCrackNames, and we don't support that. 

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/b47debc0-59ee-40e4-ad0f-4bc9f96043b2


Also, yes, we left out a "\n" in the message. And I'm not convinced it needs to be at debug level 0.

I don't see how it is related to authentication, but maybe the client likes to do these things together.

Other people have had similar messages:
https://lists.samba.org/archive/samba/2015-May/191875.html
https://lists.samba.org/archive/samba/2018-July/216975.html
Comment 3 Bram Matthys 2023-01-09 13:31:58 UTC
I just checked the logs, this last happened on Nov 30, 2022. Right before the message (or part of the message?) and after is a login through radius.

Apparently it only happens sporadically or it might have disappeared during upgrades altogether. Not sure.