Support Questions

Find answers, ask questions, and share your expertise

Kerberos is adding control (hidden) characters and a CNF (objectGUID) to the CN

avatar

Trying to delete old Principals throws the following ERROR:

2015-09-29 09:55:41,330 - Failed to remove identity for HTTP/somenode.mycompany.com@MYCOMPANY.COM from the KDC - Can not remove principal HTTP/somenode.mycompany.com@MYCOMPANY.COM: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0 
] 
..(bunch of these) 
Status: 
2015-09-29 09:55:40,851 - Processing identities... 
2015-09-29 09:55:41,268 - Destroying identity, HTTP/somenode.mycompany.com@MYCOMPANY.COM 

Checking the AD, the principals that I tried to delete were still there, so obviously failed to be removed. However, in AD, it looks like for the bad principals, there is an additional CNF field and a control hidden character:

distinguishedNameDN1CN=nm/somenode.mycompany.com\0ACNF:0158d56b-6e58-48f8-adf3-3429f820e6c5,OU=Hadoop,OU=DataCenter,OU=ServersV2,DC=mycompany,DC=com 

This CNF field is the objectGUID. Is it normal to have an embedded CNF field (with a hidden character) in the CN? Thank you,

1 ACCEPTED SOLUTION

avatar
2 REPLIES 2

avatar

It seems like the issue is what is described in When a Duplicate RDN in an OU or Container is Detected

avatar

Good find. Thanks