[Samba] Error with "samba-tool ntacl get --as-sddl"

Miguel Medalha medalist at sapo.pt
Wed May 18 18:59:10 UTC 2016

> Hi, this is because when you use '--as-sddl', the python code does this:
>         if as_sddl:
>             try:
>                 domain_sid = security.dom_sid(samdb.domain_sid)
>             except:
>                 raise CommandError("Unable to read domain SID from 
> configuration files")
>             self.outf.write(acl.as_sddl(domain_sid)+"\n")
> Or to put it in English, it tries to get the Domain SID from sam.ldb 
> and this doesn't exist on a member server.

And yet the member server "knows" what the Domain SID is (as shown by 
"net getdomainsid"). Isn't a file server exactly the place where setting 
ACEs using the sddl format would be the most useful? Can this limitation 
be removed or was it "by design"?

It seems to me that with acl_xattr offering complete Windows ACLs the 
situation is now mature enough and demands a proper tool for setting 
Windows ACLs from a *nix command line. This would greatly facilitate the 
life of those who maintain remote servers through ssh. A tool similar to 
icacls or SetACL in the Windows world.

More information about the samba mailing list