Bug 16037 - Samba DC accepts long computer names
Summary: Samba DC accepts long computer names
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.24.0rc*
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2026-03-21 19:18 UTC by Sumit Bose
Modified: 2026-03-25 11:01 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sumit Bose 2026-03-21 19:18:29 UTC 
Hi,

in contrast to an AD DC a Samba DC currently allows to create computer objects with names (sAMAccountName) longer than 15 or 20 characters. E.g.

    samba-tool computer add 'THISNAMEISTOOLONG123THISNAMEISTOOLONG123THISNAMEISTOOLONG123$'

creates a computer object with

    sAMAccountName: THISNAMEISTOOLONG123THISNAMEISTOOLONG123THISNAMEISTOOLONG123$

The same works with e.g. adcli

    adcli join -v --domain=samba.test --computer-name='THISNAMEISTOOLONG123THISNAMEISTOOLONG123THISNAMEISTOOLONG123'

When running the same adcli command against an AD DC the request is rejected with

    00000523: SysErr: DSID-031A1262, problem 22 (Invalid argument), data 0

if the given computer name is 20 characters or longer which is in agreement with e.g. https://learn.microsoft.com/en-us/windows/win32/adschema/a-samaccountname which says "must be 20 characters or fewer"

Btw, `net ads join` complains if the name is too long as well.
    
Is is expected that a Samba DC accepts computer objects where the sAMAccountName is longer then 15 or 20 characters? If yes, then maybe `net ads join` should accept them as well? If not, I think it would be good if the Samba DC will reject request with longer names like an AD DC does.


bye,
Sumit
Comment 1 Douglas Bagnall 2026-03-24 23:16:50 UTC 
Did you try this?:

 samba-tool computer add -H ldap://the-windows-dc 

I guess if adcli is using ldap it will be the same.

It seems MS-ADA3 has been saying "less than 20 characters to support older clients" for as long as MS-ADA3 has existed, while the schema has always had a maximum length of 256.
Comment 2 Sumit Bose 2026-03-25 08:15:02 UTC 
(In reply to Douglas Bagnall from comment #1)

Hi,

yes, it shows the same error:

# samba-tool computer add --use-kerberos=required -H ldap://dc.ad.test 'THISNAMEISTOOLONG123THISNAMEISTOOLONG123THISNAMEISTOOLONG123$'
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
ERROR(ldb): Failed to add computer 'THISNAMEISTOOLONG123THISNAMEISTOOLONG123THISNAMEISTOOLONG123$':  - LDAP error 80 LDAP_OTHER -  <00000523: SysErr: DSID-031A1262, problem 22 (Invalid argument), data 0
> <>


Test was run with Windows 2022.

bye,
Sumit
Comment 3 Rowland Penny 2026-03-25 10:35:51 UTC 
(In reply to Sumit Bose from comment #2)

The fix is trivial, add something like these lines to computer.py (at line 257):

        # check length of computermame
        if len(computername) > 20:
            raise CommandError('Computername "%s" is too long' % computername)
Comment 4 Sumit Bose 2026-03-25 11:01:39 UTC 
Hi,

this would fix the tool, but wouldn't it be better to reject long names on the server side like AD does?

bye,
Sumit