thr3ads.net - samba - [Samba] samba-tool dsacl set fails with "Unknown flag" [Aug 2018]

If this information is useful, please help other people find it:
Share via:

Fabian Melters

2018-Aug-22 15:43 UTC

[Samba] samba-tool dsacl set fails with "Unknown flag"

Hi,

i was not able to find anything about my issue in the bug-tracker,
the mailinglist or the release notes. We see the following issue
using samba-tool dsacl:


samba-tool dsacl set --objectdn
"cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de"
--sddl='(A;CI;GA;;;DD)'

  new descriptor for
cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de:
 
O:DAG:DAD:AI(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
  Unknown flag - S:AI(A;CI;GA;;;DD) in AIS:AI(A;CI;GA;;;DD)
  ERROR(<type 'exceptions.TypeError'>): uncaught exception -
Unable to parse SDDL
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
      return self.run(*args, **kwargs)
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py",
line 174, in run
      self.add_ace(samdb, objectdn, new_ace)
    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dsacl.py",
line 129, in add_ace
      desc = security.descriptor.from_sddl(desc_sddl,
self.get_domain_sid(samdb))

There seems to be no relation between the sddl itself and the error. We
tried numerous variants as the sddl-value.

If i manually remove "S:AI" via LDB and then re-run the dsacl set, it
works. It actually does re-add the "S:AI" on the correct position and
all following dsacl sets via samba-tool does work too. If i delete
the added ACEs manually via LDB again, it breaks again.

Additionally, the problem occurs on all nodes from
  cn=srv-client-99,cn=CoreBizClients,cn=Netzwerk,ou=muc,DC=coreboso,DC=de
down to
  cn=Netzwerk,ou=muc,DC=coreboso,DC=de

It does not occur on
  ou=muc,DC=coreboso,DC=de
and below.

Does anyone have an idea what could be the reason for this behaviour?

I'm perfectly fine with providing more information. Just let me know.

Thanks in advance
--
Fabian Melters
Senior Consultant / Leiter Consulting

Linux Information Systems AG
Thomas-Dehler-Str. 9, 81737 München

+49 89 99341 217
fmelters at linux-ag.com (0x58178B4B), http://www.linux-ag.com
----------------------------------------------------------
Sitz der Gesellschaft: Putzbrunner Str. 71, 81739 München
Amtsgericht München: HRB 128 019
Vorstand: Rudolf Strobl
Aufsichtsrat: Michael Tarabochia (Vorsitzender)

*** Die bestere IT für den Mittelstand ***
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180822/54f7a9dd/signature.sig>

Possibly Parallel Threads

Search for more possibly parallel threads

samba - Aug 2018 - samba-tool dsacl set fails with "Unknown flag"

[Samba] samba-tool dsacl set fails with "Unknown flag"

Possibly Parallel Threads

Wisdom of the Ancients