attributeSchema object without attributeID cause crash when processing NTDS

[william-billaud]

When loading schema index :

dissect.database/dissect/database/ese/ntds/schema.py

Line 173 in 64ae6d8

self._add_attribute(

, we may have to deal with attributeSchema object without attributeID. I'm not sure if the missing attributeID is caused by a data corruption, or is a Windows weirdness.

if I add the following two line just before the self._add_attribute

            if obj.get("attributeID", raw=True) is None:
                print(f"Weird attributes : {obj.get('lDAPDisplayName')}")
                print(obj.as_dict())

I got the following error

Weird attributes : msExchHttpDeliveryConnector
{'DNT': 83280, 'Pdnt': 2014, 'Obj': True, 'RdnType': 'cn', 'CNT': 2, 'AB_cnt': 0, 'Time': None, 'Ncdnt': 2014, 'IsVisibleInAB': None, 'RecycleTime': None, 'Ancestors': [2, 2006, 2007, 2008, 2014, 83280], 'lDAPDisplayName': 'msExchHttpDeliveryConnector', 'objectClass': ['classSchema', 'top'], 'governsID': 752256038, 'name': 'ms-Exch-Http-Delivery-Connector', 'cn': 'ms-Exch-Http-Delivery-Connector', 'instanceType': <InstanceType.Writable: 4>}
Traceback (most recent call last):
  File "/home/USERNAME/Documents/tools/github/dissect.database/dissect/database/ese/tools/ntds.py", line 28, in <module>
    main()
  File "/home/USERNAME/Documents/tools/github/dissect.database/dissect/database/ese/tools/ntds.py", line 18, in main
    ntds = NTDS(fh)
           ^^^^^^^^
  File "/home/USERNAME/Documents/tools/github/dissect.database/dissect/database/ese/ntds/ntds.py", line 31, in __init__
    self.db = Database(fh)
              ^^^^^^^^^^^^
  File "/home/USERNAME/Documents/tools/github/dissect.database/dissect/database/ese/ntds/database.py", line 37, in __init__
    self.data.schema.load(self)
  File "/home/USERNAME/Documents/tools/github/dissect.database/dissect/database/ese/ntds/schema.py", line 177, in load
    self._add_attribute(
  File "/home/USERNAME/Documents/tools/github/dissect.database/dissect/database/ese/ntds/schema.py", line 224, in _add_attribute
    column=f"ATT{OID_TO_TYPE[type_oid]}{id}",
                 ~~~~~~~~~~~^^^^^^^^^^
KeyError: 'NONE'

A quick win would be to juste ignore this kind of entry, but I'm still trying to identify the impact.

NTDS is from a 2012 R2 server (not shareable) .

[Schamper]

The JSON dump shows its actually a classSchema object. Maybe something funky still in our index iteration code.

[william-billaud]

You're right, I hadn't noticed that, will take a closer when time permit.

[Schamper]

I did change some logic in the binary search algorithm, so you may have to go that deep with debugging. If you have any idea on how to get reproducible data, that would be nice.