Web lists-archives.com

[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid


this is a Samba AD Domain upgraded from Samba 3.x with classicupgrade. 

Debian 9.4
Samba: 4.7.6 (packages from tranquil.it)

# cat /etc/samba/smb.conf

        netbios name = DC1
        realm = IWW.LAN
        server role = active directory domain controller
        workgroup = IWW
        idmap_ldb:use rfc2307 = yes
        dns forwarder =
        dsdb:schema update allowed=true

        path = /var/lib/samba/sysvol/iww.lan/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/iww.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not
    match expected value %s from GPO object' %
    (acl_type(direct_db_access), path, fsacl_sddl, acl))

running "samba-tool ntacl sysvolcheck" doesn't fix this. 

In my investigation for this I tried to use the script from

This lead to another error:

root@dc1:~# wbinfo -S S-1-5-32-544
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

However, other SID's do work:

root@dc1:~# wbinfo -S S-1-5-32-543
root@dc1:~# wbinfo -S S-1-5-32-545

S-1-5-32-544 is the Administrator group, which is a builtin group. I
noticed, that this group already existed in the Samba 3 OpenLDAP DIT
with gidNumber 514. 

There are other builtin groups which pre-existed in OpenLDAP. All this pre-existing
groups have Posix attributes (gidNumber, objectClass posixGroup) set
and raises the same error. Other well-known SIDs which have not
pre-existed can be converted to UIDs

So my first idea was to remove those Posix attributes from the
problematic groups (I tried it on Backup Operators S-1-5-32-551), but to no avail.

Is it possible, that sysvolcheck error is related to this?

Any suggestions on how to proceed?

Kind Regards,


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba