As reported by Denis Cardon on the Samba mailing list (https://lists.samba.org/archive/samba/2021-November/238452.html), slightly edited here: We have had this issue a few time today with latest 4.14 when upgrading client installations (I didn't have time to check if it was latest 4.14.10 or if it happened in some earlier version). If you have DN strings with consecutive space characters (yeah, it shouldn't happen, but if one can do it, it will be done), then the upgrade will break a few things. In the replication you'll get this kind of error message : [2021/11/10 15:15:33.150632, 1] ../../source4/dsdb/repl/replicated_objects.c:904(dsdb_replicated_objects_commit) Failed to apply records: operational_search_post_process failed for attribute 'parentGUID' - No such Base DN: CN=USERNAME Romain,OU=Sync Azure,DC=mydomain,DC=lan: Operations error [2021/11/10 15:15:33.150754, 0] ../../source4/dsdb/repl/drepl_out_helpers.c:1184(dreplsrv_op_pull_source_apply_changes_trigger) If you try a samba-tool dbcheck --cross-ncs, you'll may get this kind of error : ERROR: Object CN=USERNAME Romain,OU=Sync Azure,DC=mydomain,DC=lan disappeared during check Another symptom is that the search with an attribute (like samba-tool user show dcardon) does work, but a ldbsearch with a DN like below (beware of the two spaces) does not work 'CN=denis cardon,OU=test,DC=test,DC=lan' If you have this case, a reindex should fix it (it need to be run on each DC) samba-tool dbcheck --reindex Another option is to fix this before upgrade, or if it is already upgraded, downgrade, fix and then upgrade. If you have the case where you have two quasi-identical entries, one with two space and one with only one (ie CN=denis cardon, and CN=denis cardon), then you have to delete one of them before re-indexing (yeah we have seen this one today also). There seems to be a discrepancy in the way multiple spaces are handled in the index and in the DN string itself. Note : if you recreate an entry with multiple consecutive spaces after upgrade it seems to work though...
I suspect this is due to fixes for bug 14656 which were backported in the November 2021 security release to 4.14.10 (and 4.13). Those patches changed the way spaces are handled in searches and maybe indexes. I think they are probably correct, at least insofar as they do what the old code was trying to do. However, for the indexes, it might be that the old index has treated values with the incorrect space collapsing, which would I think have mapped 'CN=denis cardon' to 'CN=denis ccardon', while the new code uses one space 'CN=denis cardon'. So the index doesn't match. The real bug is this hypothesis is that the values are not being escaped first ('CN=denis\ \ cardon') for the indexing. Before 'CN=denis cardon' and 'CN=denis ccardon' were quasi-identical pair, and we never/rarely saw it because no-one is called ccardon.
The workaround for now is to run: samba-tool dbcheck --reindex We should perhaps force a re-index in a future version upgrade (by bumping SAMDB_INDEXING_VERSION to ensure this is done) /* change this when we change something in our schema code that * requires a re-index of the database */ #define SAMDB_INDEXING_VERSION "3" However this will force a reindex regardless which is CPU intensive.
Given that users use 'samba-tool dbcheck' to assure themselves that the DB is not at fault, a future task could be to upgrade dbcheck to search for each object by string DN, as that would detect this in the future. Sadly dbcheck is not comprehensive, essentially being a set of fixes for things we know have gone wrong in the past.
This bug was referenced in samba master: f621317e3b25a8925ab6e448068264488a0a47c7
Created attachment 17048 [details] Patch for v4-15-test
Created attachment 17049 [details] Patch for v4-14-test
Created attachment 17050 [details] Patch for v4-13-test
Reassigning to Jule for inclusion in 4.13, 4.14 and 4.15.
(In reply to Ralph Böhme from comment #8) Pushed to autobuild-v4-{15,14,13}-test
This bug was referenced in samba v4-15-test: cd9783148b8bdbbf9b1e43d2a7a7e3d5a6a0420e
This bug was referenced in samba v4-14-test: ce1186e06ed2581a29af794eb66405a4efe26b71
This bug was referenced in samba v4-15-stable (Release samba-4.15.3): cd9783148b8bdbbf9b1e43d2a7a7e3d5a6a0420e
This bug was referenced in samba v4-13-test: dd679ce7f4450765274b085bbee97d1fa8e0f2a0
Closing out bug report. Thanks!
Reopening to consider a further fix per comment #2
This bug was referenced in samba v4-13-stable (Release samba-4.13.15): dd679ce7f4450765274b085bbee97d1fa8e0f2a0
This bug was referenced in samba v4-14-stable (Release samba-4.14.11): ce1186e06ed2581a29af794eb66405a4efe26b71
*** Bug 15029 has been marked as a duplicate of this bug. ***