thr3ads.net - samba - [Samba] Upgrade to 4.20: Not resetting nTSecurityDescriptor [Apr 2024]

If this information is useful, please help other people find it:
Share via:

Daniel Müller

2024-Apr-15 05:53 UTC

[Samba] Upgrade to 4.20: Not resetting nTSecurityDescriptor

I did it:
root at dom2:~# samba-tool dbcheck --fix
Checking 705 objects
Reset nTSecurityDescriptor on CN=Deleted Objects,DC=tlk,DC=loc back to provision
default?
        Owner mismatch: SY (in ref) DA(in current)
        Group mismatch: SY (in ref) DA(in current)
        Part dacl is different between reference and current here is the detail:
                (A;;LCRPLORC;;;AU) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the r
eference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the r
eference
                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
                (A;;LCRP;;;BA) ACE is not present in the current
 [y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted
Objects,DC=tlk,DC=loc'

Checked 705 objects (1 errors)



root at dom2:~# samba-tool dbcheck --cross-ncs
Checking 4506 objects
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,CN=Configuration,DC=tlk,DC=loc

Not resetting nTSecurityDescriptor on CN=Deleted
Objects,DC=DomainDnsZones,DC=tlk,DC=loc

Not resetting nTSecurityDescriptor on CN=Deleted
Objects,DC=ForestDnsZones,DC=tlk,DC=loc

Checked 4506 objects (3 errors)
Please use 'samba-tool dbcheck --fix' to fix 3 errors
root at dom2:~# samba-tool dbcheck --fix
Checking 705 objects
Checked 705 objects (0 errors)

But the next "samba-tool dbcheck --cross-ncs" shows the same three
errors again!?

Greetings
Daniel

Von: Andrew Bartlett [mailto:abartlet at samba.org] 
Gesendet: Samstag, 13. April 2024 10:38
An: mueller at tropenklinik.de; samba samba <samba at lists.samba.org>
Betreff: Re: [Samba] Upgrade to 4.20: Not resetting nTSecurityDescriptor

On Fri, 2024-04-12 at 08:03 +0200, Daniel M?ller via samba wrote:
Hello to all,

After updating to samba 4.20 (from samba 4.19) on Debian 11, samba-tool
dbcheck --cross-ncs
results in:
samba-tool dbcheck --cross-ncs
Checking 4499 objects
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,CN=Configuration,DC=tlk,DC=loc
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,DC=DomainDnsZones,DC=tlk,DC=loc
Not resetting nTSecurityDescriptor on CN=Deleted
Objects,DC=ForestDnsZones,DC=tlk,DC=loc
Not resetting nTSecurityDescriptor on CN=Deleted Objects,DC=tlk,DC=loc

Checked 4499 objects (4 errors)
Please use 'samba-tool dbcheck --fix' to fix 4 errors

Do I have to perform samba-tool dbcheck --fix, though this server is the
second and the master still is running samba 4.19!?

Yes, you can reset this SD.  I've checked the code and we only improved
dbcheck, we didn't make a matching change to the C code.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

Rowland Penny

2024-Apr-15 07:28 UTC

head link

[Samba] Upgrade to 4.20: Not resetting nTSecurityDescriptor

On Mon, 15 Apr 2024 07:53:16 +0200
Daniel M?ller via samba <samba at lists.samba.org> wrote:
> I did it:
> root at dom2:~# samba-tool dbcheck --fix
> Checking 705 objects
> Reset nTSecurityDescriptor on CN=Deleted Objects,DC=tlk,DC=loc back
> to provision                                   default? Owner
> mismatch: SY (in ref) DA(in current) Group mismatch: SY (in ref)
> DA(in current) Part dacl is different between reference and current
> here is the detail: (A;;LCRPLORC;;;AU) ACE is not present in the
> reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in
> the r                                  eference
> (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the r
>                             eference (A;;CCDCLCSWRPWPSDRCWDWO;;;SY)
> ACE is not present in the current (A;;LCRP;;;BA) ACE is not present
> in the current [y/N/all/none] y Fixed attribute
> 'nTSecurityDescriptor' of 'CN=Deleted
Objects,DC=tlk,DC=loc'
> 
> Checked 705 objects (1 errors)
> 
> 
> 
> root at dom2:~# samba-tool dbcheck --cross-ncs
> Checking 4506 objects
> Not resetting nTSecurityDescriptor on CN=Deleted
> Objects,CN=Configuration,DC=tlk,DC=loc
> 
> Not resetting nTSecurityDescriptor on CN=Deleted
> Objects,DC=DomainDnsZones,DC=tlk,DC=loc
> 
> Not resetting nTSecurityDescriptor on CN=Deleted
> Objects,DC=ForestDnsZones,DC=tlk,DC=loc
> 
> Checked 4506 objects (3 errors)
> Please use 'samba-tool dbcheck --fix' to fix 3 errors
> root at dom2:~# samba-tool dbcheck --fix
> Checking 705 objects
> Checked 705 objects (0 errors)
> 
> But the next "samba-tool dbcheck --cross-ncs" shows the same
three
> errors again!?
> 
Try it like this:

samba-tool dbcheck --fix --yes

Rowland

Possibly Parallel Threads

Search for more seemingly similar threads

samba - Apr 2024 - Upgrade to 4.20: Not resetting nTSecurityDescriptor

[Samba] Upgrade to 4.20: Not resetting nTSecurityDescriptor

[Samba] Upgrade to 4.20: Not resetting nTSecurityDescriptor

Possibly Parallel Threads