[Samba] Sysvol GPO ACLs problem

Pablo Sanz Fernández psanz at empre.es
Mon May 11 10:09:04 UTC 2020

Hi Rowland.

It's CentOS 6.10 with Python 2.6.6.

I guess then we must update to CentOS 8 and use Python 3?

We are worried with the compability of lastest versions of Samba and our Dell EMC Unity storage. We did have to put the smb.conf option "server schannel" to keep it working with the samba AD. Does this smb.conf option still valid, despite the deprecated warning, in the lastest samba versions?


Pablo Sanz Fernández

On 11/05/2020 08:31, Pablo Sanz Fernández via samba wrote:
> Hi,
> We are having problems with sysvol AD shared folder in a Samba 4.9.13 AD.
> Has been running smoothly until recently, and we don't know how to fix it. We detected the problem trying to create a new AD GPO, it fails with the message (sorry, we have windows in Spanish, it's not literal translation): "this security identifier cannot be assigned as object owner".
> If we execute in the linux DC a sysvol check (samba-tool ntacl sysvolcheck), we get this error:
> [https://lists.samba.org/mailman/listinfo/samba ~]# samba-tool ntacl sysvolcheck
> O:LAG:DAD:P does not match expected value O:DAG:DAD:P
I have stripped that down to the difference, have you given the Domain 
Admins group a gidNumber attribute ?
> And, if we execute a sysvol acl reset, we get this:
> [https://lists.samba.org/mailman/listinfo/samba ~]# samba-tool ntacl sysvolreset
> WARNING: The "server schannel" option is deprecated
> WARNING: The "server schannel" option is deprecated
> ===============================================================
> INTERNAL ERROR: Signal 11 in pid 22555 (4.9.13)
> Please read the Trouble-Shooting section of the Samba HOWTO
> ===============================================================
> PANIC (pid 22555): internal error
It shouldn't panic
> We also tried to use the sysvol repair permissions script (https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh):
> [https://lists.samba.org/mailman/listinfo/samba ~]# /usr/oper/samba-check-set-sysvol.sh
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-32-549 to uid
Hmm, have you also given 'BUILTIN\Server Operators' a gidNumber ?
> Please, do you know how to fix this, or at least were to begin?

What OS is this ?

4.9.x is EOL as far as Samba is concerned, so can you upgrade Samba ? 
your problem may already have been fixed.


More information about the samba mailing list