[Samba] syscolcheck error / Could not convert sid S-1-5-32-544 to uid

Rowland Penny rpenny at samba.org
Fri May 25 14:07:57 UTC 2018 

On Fri, 25 May 2018 15:37:10 +0200
Henry Jensen via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> this is a Samba AD Domain upgraded from Samba 3.x with
> classicupgrade. 
> 
> Debian 9.4
> Samba: 4.7.6 (packages from tranquil.it)
> 
> # samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception - ProvisioningError: DB ACL on GPO
> directory /var/lib/samba/sysvol/iww.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object File

If you look closely (very closely), you will see that there is only one
letter different, it is at the very start:

O:LAG:DAD:P(

O:DAG:DAD:P(

LA = Local Administrator
DA = Domain Admins

> 
> running "samba-tool ntacl sysvolcheck" doesn't fix this.

Well it wouldn't, they are both borked.

Just do administration from Windows 
 
> 
> S-1-5-32-544 is the Administrator group, which is a builtin group. I

No, it is the 'Administrators' group

> noticed, that this group already existed in the Samba 3 OpenLDAP DIT
> with gidNumber 514. 

If we take it that '514' is actually a windows RID, then the group
should be Domain Guests.

> 
> There are other builtin groups which pre-existed in OpenLDAP. All
> this pre-existing groups have Posix attributes (gidNumber,
> objectClass posixGroup) set and raises the same error. Other
> well-known SIDs which have not pre-existed can be converted to UIDs
> 

From my experience, the only AD user/group in AD with a RID less than
1000 that should have a uidNumber or gidNumber is Domain Users.

> So my first idea was to remove those Posix attributes from the
> problematic groups (I tried it on Backup Operators S-1-5-32-551), but
> to no avail.

Ah, you probably missed the magic incantation 'net cache flush' ;-)

> 
> Is it possible, that sysvolcheck error is related to this?

No.

Rowland

More information about the samba mailing list