[Samba] Sysvol GPO ACLs problem

Rowland penny rpenny at samba.org
Mon May 11 08:32:06 UTC 2020

On 11/05/2020 08:31, Pablo Sanz Fernández via samba wrote:
> Hi,
> We are having problems with sysvol AD shared folder in a Samba 4.9.13 AD.
> Has been running smoothly until recently, and we don't know how to fix it. We detected the problem trying to create a new AD GPO, it fails with the message (sorry, we have windows in Spanish, it's not literal translation): "this security identifier cannot be assigned as object owner".
> If we execute in the linux DC a sysvol check (samba-tool ntacl sysvolcheck), we get this error:
> [root at mercurio2 ~]# samba-tool ntacl sysvolcheck
> O:LAG:DAD:P does not match expected value O:DAG:DAD:P
I have stripped that down to the difference, have you given the Domain 
Admins group a gidNumber attribute ?
> And, if we execute a sysvol acl reset, we get this:
> [root at mercurio2 ~]# samba-tool ntacl sysvolreset
> WARNING: The "server schannel" option is deprecated
> WARNING: The "server schannel" option is deprecated
> ===============================================================
> INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13)
> Please read the Trouble-Shooting section of the Samba HOWTO
> ===============================================================
> PANIC (pid 22555): internal error
It shouldn't panic
> We also tried to use the sysvol repair permissions script (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh):
> [root at mercurio2 ~]# /usr/oper/samba-check-set-sysvol.sh
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-549 to uid
Hmm, have you also given 'BUILTIN\Server Operators' a gidNumber ?
> Please, do you know how to fix this, or at least were to begin?

What OS is this ?

4.9.x is EOL as far as Samba is concerned, so can you upgrade Samba ? 
your problem may already have been fixed.


More information about the samba mailing list