New acl module and workstation trying to upgrade some information

[Matthieu Patou]

Hello nadya,

As we discussed this a few months ago workstation and server (ie. 
windows 2008) is trying to update some attributes through LDAP when it 
starts.

After upgrading I'm still having messages like
Failed to modify SPNs on CN=w2k8,CN=Computers,DC=smb4,DC=tst: error in 
module acl: insufficient access rights (50)

Here is the SD of this server:

O:DOMSID-512G:DOMSID-513D:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DOMSID-512)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
(A;;RPCRLCLORCSDDT;;;DOMSID-512)
(A;IO;RPCRLCLORCSDDT;;;CO)
(OA;;WP;4c164200-20c0-11d0-a768-00aa006e0529;;DOMSID-512)
(OA;IO;WP;4c164200-20c0-11d0-a768-00aa006e0529;;CO)
(A;;RPLCLORC;;;AU)
(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)
(A;;CCDC;;;PS)
(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)
(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;DOMSID-517)
(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)
(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)
(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;PS)
(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;DOMSID-512)
(OA;IO;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;CO)
(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;DOMSID-512)
(OA;IO;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;CO)
(OA;;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;DOMSID-512)
(OA;IO;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO)
(OA;;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa003049e2;DOMSID-512)
(OA;IO;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa003049e2;CO)
(OA;;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;DOMSID-512)
(OA;IO;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)
(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;DOMSID-512)
(OA;IO;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)
(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)
(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)
(OA;CIIOID;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)
(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIIOID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)
(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DOMSID-519)
(A;CIID;LC;;;RU)
(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

The attribute is msDS-SupportedEncryptionTypes which is not in the SD above.

Is there something wrong ? The SD is generated for a 2003 level maybe 
the right is added when we have a 2008 level ?

Let me know.

Matthieu.