A limitation in the cookie size supported by the dirsync control causes samba-tool user syncpasswords to fail if the domain has previously or does currently host a large number of DCs.
Note that every time a DC is rejoined (using 'samba-tool domain join') it will add an extra entry to the cookie.
Created attachment 14695 [details] Backport of fix for v4.9 Attached backport for 4.9. Confirmed it applies to both v4-9-test and samba-4.9.3. CI pass: https://gitlab.com/samba-team/devel/samba/pipelines/37859979
G'Day Karolin, Please merge for 4.9.next. Thanks!
(In reply to Andrew Bartlett from comment #3) Pushed to autobuild-v4-9-test.
Pushed to v4-9-test. Closing out bug report. Thanks!