samba-tool 4.0.24 badly formatted sddl sid code

Mark Walker mark.walker at mobilefun.co.uk
Mon Feb 9 11:11:11 MST 2015 

Hey guys,

Seem to be having some problems cleaning up my servers ACLs with samba-tool
on my Ubuntu x64 machine running Sernet Samba 4.0.24.

Running the usual db check and fix seems to work just fine but adding in
the reset known acls line seems to cause problems for samba tool after
fixing a couple of ACLs it throws an exception.

This is the command I am running:
samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix

The result:
Checking 4947 objects
Unknown sddl sid code 'Dn'
Badly formatted SDDL
'AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;DnsAdmins)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)'
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to parse
SDDL
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/dbcheck.py", line
136, in run
    controls=controls, attrs=attrs)
  File "/usr/lib/python2.6/dist-packages/samba/dbchecker.py", line 109, in
check_database
    error_count += self.check_object(object.dn, attrs=attrs)
  File "/usr/lib/python2.6/dist-packages/samba/dbchecker.py", line 922, in
check_object
    well_known_sd = self.get_wellknown_sd(dn)
  File "/usr/lib/python2.6/dist-packages/samba/dbchecker.py", line 857, in
get_wellknown_sd
    name_map=self.name_map))
  File "/usr/lib/python2.6/dist-packages/samba/descriptor.py", line 362, in
get_dns_domain_microsoft_dns_descriptor
    return sddl2binary(sddl, domain_sid, name_map)
  File "/usr/lib/python2.6/dist-packages/samba/descriptor.py", line 43, in
sddl2binary
    sec = security.descriptor.from_sddl(sddl, domain_sid)

There didnt seem to be any major issues when testing samba without this
command but I would like to start my long awaited upgrade from a good point.

I will backup the samba data dirs and try again with 4.1 to see if this is
a regression within the maintenance branch.

Thanks again and great work guys and gals!
Mark

More information about the samba-technical mailing list