[Samba] samba-tool dsacl set fails with "Unknown flag"

Fabian Melters fmelters at linux-ag.com
Wed Aug 22 15:27:37 UTC 2018 

Hi,

i was not able to find anything about my issue in the bug-tracker,
the mailinglist or the release notes. We see the following issue
using samba-tool dsacl:


samba-tool dsacl set --objectdn "cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de" --sddl='(A;CI;GA;;;DD)'

  new descriptor for cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de:
  O:DAG:DAD:AI(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
  Unknown flag - S:AI(A;CI;GA;;;DD) in AIS:AI(A;CI;GA;;;DD)
  ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to parse SDDL
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
      return self.run(*args, **kwargs)
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py", line 174, in run
      self.add_ace(samdb, objectdn, new_ace)
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py", line 129, in add_ace
      desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb))

There seems to be no relation between the sddl itself and the error. We
tried numerous variants as the sddl-value.

If i manually remove "S:AI" via LDB and then re-run the dsacl set, it
works. It actually does re-add the "S:AI" on the correct position and
all following dsacl sets via samba-tool does work too. If i delete
the added ACEs manually via LDB again, it breaks again.

Additionally, the problem occurs on all nodes from
  cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de
down to
  cn=Netzwerk,ou=muc,DC=coreboso,DC=de

It does not occur on
  ou=muc,DC=coreboso,DC=de
and below.

Does anyone have an idea what could be the reason for this behaviour?

I'm perfectly fine with providing more information. Just let me know.

Thanks in advance!
--
Fabian Melters
Senior Consultant / Leiter Consulting

Linux Information Systems AG
Thomas-Dehler-Str. 9, 81737 München

+49 89 99341 217
fmelters at linux-ag.com (0x58178B4B), http://www.linux-ag.com
----------------------------------------------------------
Sitz der Gesellschaft: Putzbrunner Str. 71, 81739 München
Amtsgericht München: HRB 128 019
Vorstand: Rudolf Strobl
Aufsichtsrat: Michael Tarabochia (Vorsitzender)

*** Die bestere IT für den Mittelstand ***
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180822/7b24e80b/signature.sig>

More information about the samba mailing list