[Samba] "This security ID may not be assigned as the owner of this object" when trying to create a GPO

Sebastian Arcus s.arcus at open-t.co.uk
Tue Apr 25 19:18:24 UTC 2017 

I have upgraded Samba from a NT PDC to an AD DC about a week ago. 
Everything went pretty well until today. I've already configured about 
25 GPO's (through RSAT on a Windows 10 machine) - but when I came to add 
more GPO's - it wouldn't let me with the above error message. My specs are:

Samba 4.5.0
Slackware -current 64bit
Kernel 4.4.20

The client machine is a Windows 10 Pro.

On the server I tried "samba-tool ntacl sysvolreset", which completes, 
but sysvolcheck has always given errors from the beginning of the 
upgrade (and keeps on doing so):

#samba-tool ntacl sysvolcheck

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/var/lib/samba/sysvol/hebi.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 
270, in run
     lp)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1723, in checksysvolacl
     direct_db_access)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1674, in check_gpos_acl
     domainsid, direct_db_access)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1621, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))

I also get a not very helpful error from samba-tool gpo aclcheck:

#samba-tool gpo aclcheck

ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 
1150, in run
     ds_sd_ndr = m['nTSecurityDescriptor'][0]

Could anyone provide some hints as to where I should be looking next? 
What bugs me is that everything was working fine until today - and it 
stopped working seemingly out of the blue. I was mainly adding GPO's and 
not touching the main config - so can't work out what could have gone wrong.

Many thanks for any hints.

More information about the samba mailing list