i was not able to find anything about my issue in the bug-tracker,
the mailinglist or the release notes. We see the following issue
using samba-tool dsacl:

samba-tool dsacl set --objectdn "cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de" --sddl='(A;CI;GA;;;DD)'

  new descriptor for cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de:
  Unknown flag - S:AI(A;CI;GA;;;DD) in AIS:AI(A;CI;GA;;;DD)
  ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to parse SDDL
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
      return self.run(*args, **kwargs)
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py", line 174, in run
      self.add_ace(samdb, objectdn, new_ace)
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py", line 129, in add_ace
      desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb))

There seems to be no relation between the sddl itself and the error. We
tried numerous variants as the sddl-value.

If i manually remove "S:AI" via LDB and then re-run the dsacl set, it
works. It actually does re-add the "S:AI" on the correct position and
all following dsacl sets via samba-tool does work too. If i delete
the added ACEs manually via LDB again, it breaks again.

Additionally, the problem occurs on all nodes from
down to

It does not occur on
and below.

Does anyone have an idea what could be the reason for this behaviour?

I'm perfectly fine with providing more information. Just let me know.

Thanks in advance!
