Bug 13603 - DsCrackNames: Unsupported operation requested
Summary: DsCrackNames: Unsupported operation requested
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.8.4
Hardware: All All
: P5 minor (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-04 08:13 UTC by Bram Matthys
Modified: 2018-09-04 08:13 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bram Matthys 2018-09-04 08:13:18 UTC
Sometimes I see a big long blob of text regarding "DsCrackNames: Unsupported operation requested" in the logs.
I've included a snippet of the lines before and 1 line after. It seems to be triggered by authentication, but only in some cases.

[2018/09/04 09:28:58.206900,  3] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-09-04T09:28:58.206849+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "NULL", "remoteAddress": "ipv4:xxx.xxx.x.xxx:54024", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "bram@xxxx", "workstation": null, "becameAccount": "bram", "becameDomain": "xxxx", "becameSid": "S-1-5-21-1031326947-955407334-2620008635-1164", "mappedAccount": "bram", "mappedDomain": "xxxx", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "arcfour-hmac-md5"}}
[2018/09/04 09:29:00.764880,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[bram@xxxx.NET] at [Tue, 04 Sep 2018 09:29:00.764854 CEST] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:xxx.xxx.x.xxx:54049] became [xxxx]\[bram] [S-1-5-21-1031326947-955407334-2620008635-1164]. local host [NULL]
[2018/09/04 09:29:00.765112,  3] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-09-04T09:29:00.765022+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "NULL", "remoteAddress": "ipv4:xxx.xxx.x.xxx:54049", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "bram@xxxx.NET", "workstation": null, "becameAccount": "bram", "becameDomain": "xxxx", "becameSid": "S-1-5-21-1031326947-955407334-2620008635-1164", "mappedAccount": "bram", "mappedDomain": "xxxx", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "arcfour-hmac-md5"}}
  ted: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8DsCrackNames: Unsupported operation requested: FFFFFFF8../librpc/rpc/dcerpc_util.c:264: ERROR: pad length mismatch. Calculated 44  got 0
[2018/09/04 09:29:19.198001,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [LDAP,simple bind] user [(null)]\[zzzzzzzzzz@xxxx.NET] at [Tue, 04 Sep 2018 09:29:19.197959 CEST] with [Plaintext] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:xxx.xxx.x.10:43036] became [xxxx]\[zzzzzzzzzz] [S-1-5-21-1031326947-955407334-2620008635-4615]. local host [ipv4:xxx.xxx.x.2:389]
..

Note: the line really starts with "  ted:" (so space space...), this is not a copy-paste error.

Hmmm, is this perhaps a problem in the JSON authentication logging (which I have enabled) where someone forgot to nul terminate a string? Just guessing due to the double space prefix. Have not looked at the code.