[Samba] Broken dsacl on Default Domain Policy

Kees van Vloten keesvanvloten at gmail.com
Thu Feb 10 08:40:02 UTC 2022

Hi Team,

I am trying to get filtering by group on GPOs (with code on Linux, i.e. 
samba-tool etc.).
While experimenting something went wrong and I ended up with broken dsalcs.

samba-tool gpo aclcheck
on path (example.com\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}), 
should be 

Since my GPOs are created by code, the simple solution for broken stuff 
is to remove it (samba-tool gpo del), fix the code and rerun.

However at some point (don't know how it happened) I broke the dsacl of 
the "Default Domain Policy". On delete is complains: "ERROR(ldb): 
uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM"

Ldbsearch shows "isCriticalSystemObject: TRUE", which is probably the 
cause of above error.

The "Default Domain Policy" on the filesystem is empty.

My setup is Samba 4.15.5 (from Louis) on Bullseye.

Is there a way to fix / overwrite dsacls with a correct value, so that I 
do not need the delete/create operation?

If not: what would be the way to fix the "Default Domain Policy"?

- Kees

More information about the samba mailing list