[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid

Henry Jensen hjensen at mailbox.org
Fri May 25 13:37:10 UTC 2018


Hello,

this is a Samba AD Domain upgraded from Samba 3.x with classicupgrade. 

Debian 9.4
Samba: 4.7.6 (packages from tranquil.it)

# cat /etc/samba/smb.conf

[global]
        netbios name = DC1
        realm = IWW.LAN
        server role = active directory domain controller
        workgroup = IWW
        idmap_ldb:use rfc2307 = yes
        dns forwarder = 172.16.1.12
        dsdb:schema update allowed=true

[netlogon]
        path = /var/lib/samba/sysvol/iww.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/iww.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1621, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not
    match expected value %s from GPO object' %
    (acl_type(direct_db_access), path, fsacl_sddl, acl))


running "samba-tool ntacl sysvolcheck" doesn't fix this. 

In my investigation for this I tried to use the script from
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh. 

This lead to another error:

root at dc1:~# wbinfo -S S-1-5-32-544
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid

However, other SID's do work:

root at dc1:~# wbinfo -S S-1-5-32-543
3000023
root at dc1:~# wbinfo -S S-1-5-32-545
3000007


S-1-5-32-544 is the Administrator group, which is a builtin group. I
noticed, that this group already existed in the Samba 3 OpenLDAP DIT
with gidNumber 514. 

There are other builtin groups which pre-existed in OpenLDAP. All this pre-existing
groups have Posix attributes (gidNumber, objectClass posixGroup) set
and raises the same error. Other well-known SIDs which have not
pre-existed can be converted to UIDs

So my first idea was to remove those Posix attributes from the
problematic groups (I tried it on Backup Operators S-1-5-32-551), but to no avail.

Is it possible, that sysvolcheck error is related to this?

Any suggestions on how to proceed?

Kind Regards,

Henry





More information about the samba mailing list