A limitation in the cookie size supported by the dirsync control causes samba-tool user syncpasswords to fail if the domain has previously or does currently host a large number of DCs.
Note that every time a DC is rejoined (using 'samba-tool domain join') it will add an extra entry to the cookie.
Created attachment 14695 [details]
Backport of fix for v4.9
Attached backport for 4.9. Confirmed it applies to both v4-9-test and samba-4.9.3.
CI pass: https://gitlab.com/samba-team/devel/samba/pipelines/37859979
Please merge for 4.9.next.
(In reply to Andrew Bartlett from comment #3)
Pushed to autobuild-v4-9-test.
Pushed to v4-9-test.
Closing out bug report.