From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 30 Jul 2025 02:28:22 +0000 (+1200)
Subject: samba_kcc: log when msDS-HasInstantiatedNCs is not BinaryDn
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b6395781a022ae7c3a802480bc1d32109c45cb9;p=thirdparty%2Fsamba.git

samba_kcc: log when msDS-HasInstantiatedNCs is not BinaryDn

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
---

diff --git a/python/samba/kcc/kcc_utils.py b/python/samba/kcc/kcc_utils.py
index f0165344c5a..1cb4bb15e88 100644
--- a/python/samba/kcc/kcc_utils.py
+++ b/python/samba/kcc/kcc_utils.py
@@ -29,7 +29,7 @@ from samba.dcerpc import (
     drsuapi,
     misc,
 )
-from samba.samdb import dsdb_dn_guess
+from samba.samdb import dsdb_dn_guess, BinaryDn
 from samba.ndr import ndr_unpack, ndr_pack
 from collections import Counter
 
@@ -746,7 +746,6 @@ class DirectoryServiceAgent(object):
                     # msDS-HasInstantiatedNCs is a BinaryDN, but the
                     # others are plain DNs.
                     dsdn = dsdb_dn_guess(samdb, value)
-                    flags = dsdn.get_binary_integer()
                     dnstr = str(dsdn.dn)
 
                     if dnstr not in tmp_table:
@@ -756,7 +755,15 @@ class DirectoryServiceAgent(object):
                         rep = tmp_table[dnstr]
 
                     if k == "msDS-HasInstantiatedNCs":
-                        rep.set_instantiated_flags(flags)
+                        # msDS-HasInstantiatedNCs should only be DN+Binary
+                        # (MS-ADTS 6.1.1.2.2.1.2.1.1 and 6.1.2.3.1)
+                        # but sometimes we see it as a plain DN.
+                        if isinstance(dsdn, BinaryDn):
+                            flags = dsdn.get_binary_integer()
+                            rep.set_instantiated_flags(flags)
+                        else:
+                            print("msDS-HasInstantiatedNCsis not a BinaryDn '{dsdn}'",
+                                  file=sys.stderr)
                         continue
 
                     rep.identify_by_dsa_attr(samdb, k)