Fabian Melters
2018-Aug-22 15:27 UTC
[Samba] samba-tool dsacl set fails with "Unknown flag"
Hi,
i was not able to find anything about my issue in the bug-tracker,
the mailinglist or the release notes. We see the following issue
using samba-tool dsacl:
samba-tool dsacl set --objectdn
"cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de"
--sddl='(A;CI;GA;;;DD)'
new descriptor for
cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de:
O:DAG:DAD:AI(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
Unknown flag - S:AI(A;CI;GA;;;DD) in AIS:AI(A;CI;GA;;;DD)
ERROR(<type 'exceptions.TypeError'>): uncaught exception -
Unable to parse SDDL
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py",
line 174, in run
self.add_ace(samdb, objectdn, new_ace)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py",
line 129, in add_ace
desc = security.descriptor.from_sddl(desc_sddl,
self.get_domain_sid(samdb))
There seems to be no relation between the sddl itself and the error. We
tried numerous variants as the sddl-value.
If i manually remove "S:AI" via LDB and then re-run the dsacl set, it
works. It actually does re-add the "S:AI" on the correct position and
all following dsacl sets via samba-tool does work too. If i delete
the added ACEs manually via LDB again, it breaks again.
Additionally, the problem occurs on all nodes from
cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de
down to
cn=Netzwerk,ou=muc,DC=coreboso,DC=de
It does not occur on
ou=muc,DC=coreboso,DC=de
and below.
Does anyone have an idea what could be the reason for this behaviour?
I'm perfectly fine with providing more information. Just let me know.
Thanks in advance!
--
Fabian Melters
Senior Consultant / Leiter Consulting
Linux Information Systems AG
Thomas-Dehler-Str. 9, 81737 München
+49 89 99341 217
fmelters at linux-ag.com (0x58178B4B), http://www.linux-ag.com
----------------------------------------------------------
Sitz der Gesellschaft: Putzbrunner Str. 71, 81739 München
Amtsgericht München: HRB 128 019
Vorstand: Rudolf Strobl
Aufsichtsrat: Michael Tarabochia (Vorsitzender)
*** Die bestere IT für den Mittelstand ***
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180822/7b24e80b/signature.sig>
Fabian Melters
2018-Aug-29 11:21 UTC
[Samba] samba-tool dsacl set fails with "Unknown flag"
Hello again, first of all, sorry that i sent the same mail to list twice. There was something going wrong on my side, lets ignore the other and be this the main thread. I'd really appreciate any hints to this issue. Thanks in advance! Fabian On Wed, Aug 22, 2018 at 05:27:37PM +0200, Fabian Melters via samba wrote:> Hi, > > i was not able to find anything about my issue in the bug-tracker, > the mailinglist or the release notes. We see the following issue > using samba-tool dsacl: > > > samba-tool dsacl set --objectdn "cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de" --sddl='(A;CI;GA;;;DD)' > > new descriptor for cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de: > O:DAG:DAD:AI(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) > Unknown flag - S:AI(A;CI;GA;;;DD) in AIS:AI(A;CI;GA;;;DD) > ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to parse SDDL > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py", line 174, in run > self.add_ace(samdb, objectdn, new_ace) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py", line 129, in add_ace > desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb)) > > There seems to be no relation between the sddl itself and the error. We > tried numerous variants as the sddl-value. > > If i manually remove "S:AI" via LDB and then re-run the dsacl set, it > works. It actually does re-add the "S:AI" on the correct position and > all following dsacl sets via samba-tool does work too. If i delete > the added ACEs manually via LDB again, it breaks again. > > Additionally, the problem occurs on all nodes from > cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de > down to > cn=Netzwerk,ou=muc,DC=coreboso,DC=de > > It does not occur on > ou=muc,DC=coreboso,DC=de > and below. > > Does anyone have an idea what could be the reason for this behaviour? > > I'm perfectly fine with providing more information. Just let me know. > > Thanks in advance! > -- > Fabian Melters > Senior Consultant / Leiter Consulting > > Linux Information Systems AG > Thomas-Dehler-Str. 9, 81737 München > > +49 89 99341 217 > fmelters at linux-ag.com (0x58178B4B), http://www.linux-ag.com > ---------------------------------------------------------- > Sitz der Gesellschaft: Putzbrunner Str. 71, 81739 München > Amtsgericht München: HRB 128 019 > Vorstand: Rudolf Strobl > Aufsichtsrat: Michael Tarabochia (Vorsitzender) > > *** Die bestere IT für den Mittelstand ***> -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20180829/67f0352c/signature.sig>