Bug 15111 - LDAP reply error when using GPMC console with a GPLink count of 100
Summary: LDAP reply error when using GPMC console with a GPLink count of 100
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.16.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-01 12:56 UTC by Denis Cardon
Modified: 2022-08-12 13:09 UTC (History)
1 user (show)

See Also:

Attachments
screenshot of the error in GPMC (71.58 KB, image/png)
2022-07-01 12:59 UTC, Denis Cardon 		no flags Details
gpo_ko_100_gplinks (73.53 KB, application/vnd.tcpdump.pcap)
2022-08-12 13:08 UTC, Kevin Guerineau 		no flags Details
gpo_ok_101_gplinks (82.29 KB, application/vnd.tcpdump.pcap)
2022-08-12 13:09 UTC, Kevin Guerineau 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2022-07-01 12:56:15 UTC 
When using GPMC console, if you have exactly 100 gPLink attributes, when displaying the "Settings" tab of any gpo, let's say "Default Domain Policy", then you get the message : 
"An error occurred while generating report : More data is available" 

(of course there is no more data available, it would have been too easy to debug otherwise...)

GPOs are properly working on the client workstation, the bug can only be seen in the GPMC console.

If you add one more gPLink attribute (so the count is 101), then it works again.

You get the same error at 200 gPLink attributes, 300 gPLink attributes, etc. (each one hundred).

I have not looked at the code or the network trace, but it looks like there is some paging issue here...

The bug is kind of strange from the GPMC point of view, because unlinking a GPO does not remove the gPLink attribute, it just make it blank, so deleting a GPO does not change the number of gPLink and if you had 100 gPLink to begin with, you still have 100 gPLink (with one empty) and it is still bugging.
Comment 1 Denis Cardon 2022-07-01 12:58:13 UTC 
on a fresh new domain, you can use this script to create the 100 gPLink limit (counting the two default policies). After creating the 100 gPLink, then open the GPMC go to "Default Domain Policy" then on "Settings tab" and see the error.



ADMIN_PASSWORD="P@ssw0rd"
NC="dc=mydomain,dc=lan"

samba-tool ou create ou=test_gpo

for i in $(seq 1 98); do samba-tool ou create ou=test_$i,ou=test_gpo; done

for i in $(seq 1 98); do echo "${ADMIN_PASSWORD}" | samba-tool gpo setlink ou=test_$i,ou=test_gpo,${NC} "{31B2F340-016D-11D2-945F-00C04FB984F9}" -U administrator; done
Comment 2 Denis Cardon 2022-07-01 12:59:32 UTC 
Created attachment 17404 [details]
screenshot of the error in GPMC
Comment 3 Denis Cardon 2022-07-01 13:04:30 UTC 
This bug is Samba-AD only (not repoductible on a MS-AD)
Comment 4 Douglas Bagnall 2022-08-04 03:54:30 UTC 
hi Denis,

Are y6ou able to get a network trace?
Comment 5 Kevin Guerineau 2022-08-12 13:08:51 UTC 
Created attachment 17471 [details]
gpo_ko_100_gplinks
Comment 6 Kevin Guerineau 2022-08-12 13:09:06 UTC 
Created attachment 17472 [details]
gpo_ok_101_gplinks
Comment 7 Kevin Guerineau 2022-08-12 13:09:28 UTC 
Hi Douglas,

You will find two .pcap files:

gpo_ko_100_gplinks.pcap: Error when updating GPO settings via RSAT

gpo_ok_101_gplinks.pcap: No error when updating GPO settings via RSAT

Have a good day.