[Samba] samba-tool dsacl set fails with "Unknown flag"

Fabian Melters fmelters at linux-ag.com
Wed Aug 22 15:43:36 UTC 2018 

Hi,                                                                                                                                                                                                                                    
                                                                                                                                                                                                                                       
i was not able to find anything about my issue in the bug-tracker,                                                                                                                                                                     
the mailinglist or the release notes. We see the following issue                                                                                                                                                                       
using samba-tool dsacl:                                                                                                                                                                                                                
                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                       
samba-tool dsacl set --objectdn "cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de" --sddl='(A;CI;GA;;;DD)'                                                                                                      
                                                                                                                                                                                                                                       
  new descriptor for cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de:                                                                                                                                          
  O:DAG:DAD:AI(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)                                                                                    
  Unknown flag - S:AI(A;CI;GA;;;DD) in AIS:AI(A;CI;GA;;;DD)                                                                                                                                                                            
  ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to parse SDDL                                                                                                                                                      
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run                                                                                                                                                
      return self.run(*args, **kwargs)                                                                                                                                                                                                 
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py", line 174, in run                                                                                                                                                    
      self.add_ace(samdb, objectdn, new_ace)                                                                                                                                                                                           
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py", line 129, in add_ace                                                                                                                                                
      desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb))                                                                                                                                                      
                                                                                                                                                                                                                                       
There seems to be no relation between the sddl itself and the error. We                                                                                                                                                                
tried numerous variants as the sddl-value.                                                                                                                                                                                             
                                                                                                                                                                                                                                       
If i manually remove "S:AI" via LDB and then re-run the dsacl set, it                                                                                                                                                                  
works. It actually does re-add the "S:AI" on the correct position and                                                                                                                                                                  
all following dsacl sets via samba-tool does work too. If i delete                                                                                                                                                                     
the added ACEs manually via LDB again, it breaks again.                                                                                                                                                                                
                                                                                                                                                                                                                                       
Additionally, the problem occurs on all nodes from                                                                                                                                                                                     
  cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de                                                                                                                                                              
down to                                                                                                                                                                                                                                
  cn=Netzwerk,ou=muc,DC=coreboso,DC=de                                                                                                                                                                                                 
                                                                                                                                                                                                                                       
It does not occur on                                                                                                                                                                                                                   
  ou=muc,DC=coreboso,DC=de                                                                                                                                                                                                             
and below.                                                                                                                                                                                                                             
                                                                                                                                                                                                                                       
Does anyone have an idea what could be the reason for this behaviour?                                                                                                                                                                  
                                                                                                                                                                                                                                       
I'm perfectly fine with providing more information. Just let me know.                                                                                                                                                                  

Thanks in advance
--
Fabian Melters
Senior Consultant / Leiter Consulting

Linux Information Systems AG
Thomas-Dehler-Str. 9, 81737 München

+49 89 99341 217
fmelters at linux-ag.com (0x58178B4B), http://www.linux-ag.com
----------------------------------------------------------
Sitz der Gesellschaft: Putzbrunner Str. 71, 81739 München
Amtsgericht München: HRB 128 019
Vorstand: Rudolf Strobl
Aufsichtsrat: Michael Tarabochia (Vorsitzender)

*** Die bestere IT für den Mittelstand ***
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180822/54f7a9dd/signature.sig>

More information about the samba mailing list