[Samba] samba-tool dsacl set fails with "Unknown flag"

Fabian Melters fmelters at linux-ag.com
Wed Aug 22 15:43:36 UTC 2018

i was not able to find anything about my issue in the bug-tracker,                                                                                                                                                                     
the mailinglist or the release notes. We see the following issue                                                                                                                                                                       
using samba-tool dsacl:                                                                                                                                                                                                                
samba-tool dsacl set --objectdn "cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de" --sddl='(A;CI;GA;;;DD)'                                                                                                      
  new descriptor for cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de:                                                                                                                                          
  Unknown flag - S:AI(A;CI;GA;;;DD) in AIS:AI(A;CI;GA;;;DD)                                                                                                                                                                            
  ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to parse SDDL                                                                                                                                                      
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run                                                                                                                                                
      return self.run(*args, **kwargs)                                                                                                                                                                                                 
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py", line 174, in run                                                                                                                                                    
      self.add_ace(samdb, objectdn, new_ace)                                                                                                                                                                                           
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py", line 129, in add_ace                                                                                                                                                
      desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb))                                                                                                                                                      
There seems to be no relation between the sddl itself and the error. We                                                                                                                                                                
tried numerous variants as the sddl-value.                                                                                                                                                                                             
If i manually remove "S:AI" via LDB and then re-run the dsacl set, it                                                                                                                                                                  
works. It actually does re-add the "S:AI" on the correct position and                                                                                                                                                                  
all following dsacl sets via samba-tool does work too. If i delete                                                                                                                                                                     
the added ACEs manually via LDB again, it breaks again.                                                                                                                                                                                
Additionally, the problem occurs on all nodes from                                                                                                                                                                                     
down to                                                                                                                                                                                                                                
It does not occur on                                                                                                                                                                                                                   
and below.                                                                                                                                                                                                                             
Does anyone have an idea what could be the reason for this behaviour?                                                                                                                                                                  
I'm perfectly fine with providing more information. Just let me know.                                                                                                                                                                  

Thanks in advance
Fabian Melters
Senior Consultant / Leiter Consulting

Linux Information Systems AG
Thomas-Dehler-Str. 9, 81737 München

+49 89 99341 217
fmelters at linux-ag.com (0x58178B4B), http://www.linux-ag.com
Sitz der Gesellschaft: Putzbrunner Str. 71, 81739 München
Amtsgericht München: HRB 128 019
Vorstand: Rudolf Strobl
Aufsichtsrat: Michael Tarabochia (Vorsitzender)

*** Die bestere IT für den Mittelstand ***
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180822/54f7a9dd/signature.sig>

More information about the samba mailing list