[Samba] Error with "samba-tool ntacl get --as-sddl"

Rowland penny rpenny at samba.org
Wed May 18 19:28:09 UTC 2016

On 18/05/16 19:59, Miguel Medalha wrote:
>> Hi, this is because when you use '--as-sddl', the python code does this:
>>         if as_sddl:
>>             try:
>>                 domain_sid = security.dom_sid(samdb.domain_sid)
>>             except:
>>                 raise CommandError("Unable to read domain SID from 
>> configuration files")
>>             self.outf.write(acl.as_sddl(domain_sid)+"\n")
>> Or to put it in English, it tries to get the Domain SID from sam.ldb 
>> and this doesn't exist on a member server.
> And yet the member server "knows" what the Domain SID is (as shown by 
> "net getdomainsid"). Isn't a file server exactly the place where 
> setting ACEs using the sddl format would be the most useful? Can this 
> limitation be removed or was it "by design"?

I think that when the command was written, it was expected to be only 
run on a DC, don't forget 3.6 was still being produced then.

Can it be made to work on a domain member, probably yes, the command 
just needs to be able to connect to a DC to get the domain SID, or 
another way found to get the SID. If you understand python, you could 
always provide a patch yourself.


> It seems to me that with acl_xattr offering complete Windows ACLs the 
> situation is now mature enough and demands a proper tool for setting 
> Windows ACLs from a *nix command line. This would greatly facilitate 
> the life of those who maintain remote servers through ssh. A tool 
> similar to icacls or SetACL in the Windows world.

More information about the samba mailing list