[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid
Henry Jensen
hjensen at mailbox.org
Fri May 25 13:37:10 UTC 2018
Hello,
this is a Samba AD Domain upgraded from Samba 3.x with classicupgrade.
Debian 9.4
Samba: 4.7.6 (packages from tranquil.it)
# cat /etc/samba/smb.conf
[global]
netbios name = DC1
realm = IWW.LAN
server role = active directory domain controller
workgroup = IWW
idmap_ldb:use rfc2307 = yes
dns forwarder = 172.16.1.12
dsdb:schema update allowed=true
[netlogon]
path = /var/lib/samba/sysvol/iww.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/iww.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1621, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' %
(acl_type(direct_db_access), path, fsacl_sddl, acl))
running "samba-tool ntacl sysvolcheck" doesn't fix this.
In my investigation for this I tried to use the script from
https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh.
This lead to another error:
root at dc1:~# wbinfo -S S-1-5-32-544
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-32-544 to uid
However, other SID's do work:
root at dc1:~# wbinfo -S S-1-5-32-543
3000023
root at dc1:~# wbinfo -S S-1-5-32-545
3000007
S-1-5-32-544 is the Administrator group, which is a builtin group. I
noticed, that this group already existed in the Samba 3 OpenLDAP DIT
with gidNumber 514.
There are other builtin groups which pre-existed in OpenLDAP. All this pre-existing
groups have Posix attributes (gidNumber, objectClass posixGroup) set
and raises the same error. Other well-known SIDs which have not
pre-existed can be converted to UIDs
So my first idea was to remove those Posix attributes from the
problematic groups (I tried it on Backup Operators S-1-5-32-551), but to no avail.
Is it possible, that sysvolcheck error is related to this?
Any suggestions on how to proceed?
Kind Regards,
Henry
More information about the samba
mailing list