[Samba] Broken dsacl on Default Domain Policy

[Kees van Vloten]

Hi Team,


I am trying to get filtering by group on GPOs (with code on Linux, i.e. 
samba-tool etc.).
While experimenting something went wrong and I ended up with broken dsalcs.

samba-tool gpo aclcheck
ERROR: Invalid GPO ACL 
O:DAG:DAD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;;;;WD)(A;;0x001f01ff;;;DA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) 
on path (example.com\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}), 
should be 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

Since my GPOs are created by code, the simple solution for broken stuff 
is to remove it (samba-tool gpo del), fix the code and rerun.

However at some point (don't know how it happened) I broke the dsacl of 
the "Default Domain Policy". On delete is complains: "ERROR(ldb): 
uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM"

Ldbsearch shows "isCriticalSystemObject: TRUE", which is probably the 
cause of above error.

The "Default Domain Policy" on the filesystem is empty.

My setup is Samba 4.15.5 (from Louis) on Bullseye.


Is there a way to fix / overwrite dsacls with a correct value, so that I 
do not need the delete/create operation?

If not: what would be the way to fix the "Default Domain Policy"?


- Kees