[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid
Rowland Penny
rpenny at samba.org
Fri May 25 14:07:57 UTC 2018
On Fri, 25 May 2018 15:37:10 +0200
Henry Jensen via samba <samba at lists.samba.org> wrote:
> Hello,
>
> this is a Samba AD Domain upgraded from Samba 3.x with
> classicupgrade.
>
> Debian 9.4
> Samba: 4.7.6 (packages from tranquil.it)
>
> # samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception - ProvisioningError: DB ACL on GPO
> directory /var/lib/samba/sysvol/iww.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object File
If you look closely (very closely), you will see that there is only one
letter different, it is at the very start:
O:LAG:DAD:P(
O:DAG:DAD:P(
LA = Local Administrator
DA = Domain Admins
>
> running "samba-tool ntacl sysvolcheck" doesn't fix this.
Well it wouldn't, they are both borked.
Just do administration from Windows
>
> S-1-5-32-544 is the Administrator group, which is a builtin group. I
No, it is the 'Administrators' group
> noticed, that this group already existed in the Samba 3 OpenLDAP DIT
> with gidNumber 514.
If we take it that '514' is actually a windows RID, then the group
should be Domain Guests.
>
> There are other builtin groups which pre-existed in OpenLDAP. All
> this pre-existing groups have Posix attributes (gidNumber,
> objectClass posixGroup) set and raises the same error. Other
> well-known SIDs which have not pre-existed can be converted to UIDs
>
From my experience, the only AD user/group in AD with a RID less than
1000 that should have a uidNumber or gidNumber is Domain Users.
> So my first idea was to remove those Posix attributes from the
> problematic groups (I tried it on Backup Operators S-1-5-32-551), but
> to no avail.
Ah, you probably missed the magic incantation 'net cache flush' ;-)
>
> Is it possible, that sysvolcheck error is related to this?
No.
Rowland
More information about the samba
mailing list