Fabio Muzzi
2025-Aug-17 09:25 UTC
[Samba] smbcacls error: failed to lookup domain sid: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
I was testing Samba 4.22 (Debian 13) in a simple setup:
- One DC (Samba)
- One fileserver (Samba)
- One client (windows 11 24h2)
Everything works (or it seems to) from Windows, I can join the domain, manage
users, manage share permissions, access files.
I was trying to learn how to manage permissions from Linux, and got to try using
smbcacls to do it.
To make a long story short, I can use smbcacls like this without errors
root at fileserver:~# smbcacls //fileserver/documenti / --use-winbind-ccache
REVISION:1
CONTROL:SR|PD|SI|DI|DP
OWNER:Unix User\root
GROUP:AD\Domain Admins
ACL:Unix User\root:ALLOWED/0x0/FULL
ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL
ACL:AD\Domain Users:ALLOWED/OI|CI/READ
ACL:AD\Domain Admins:ALLOWED/OI|CI/FULL
But as soon as I add the "--sddl" parameter I get an error:
root at fileserver:~# smbcacls //fileserver/documenti / --use-winbind-ccache
--sddl
source3/rpc_client/cli_pipe.c:749: RPC fault code DCERPC_NCA_S_OP_RNG_ERROR
received from host fileserver!
failed to lookup domain sid: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
O:S-1-22-1-0G:S-1-5-21-2435491250-758963225-146791338-512D:PAI(A;;FA;;;S-1-22-1-0)(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;S-1-5-21-2435491250-758963225-146791338-513)(A;OICI;FA;;;S-1-5-21-2435491250-758963225-146791338-512)
I have tried raising debug level to "-d10" and it seems to me that
it's just the server that answers "I don't know what you are asking
me". I'm not able to dig more into it because I don't have the
required knowledge of Samba and Windows internals.
You can find the output of "smbcacls //fileserver/documenti /
--use-winbind-ccache --sddl -d10" as an attachment.
Thanks
--
Fabio Muzzi Frabetti
Consulenza informatica
Sistemi Linux - Sicurezza informatica - Sistemi VoIP
-------------- next part --------------
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
ldapsrv: 10
Processing section "[global]"
doing parameter workgroup = AD
doing parameter realm = AD.SAMBALAB.INTERNAL
doing parameter security = ADS
doing parameter winbind refresh tickets = Yes
doing parameter dedicated keytab file = /etc/krb5.keytab
doing parameter kerberos method = secrets and keytab
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 3000-7999
doing parameter idmap config AD : backend = rid
doing parameter idmap config AD : range = 10000-999999
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = Yes
doing parameter store dos attributes = Yes
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface enp0s3 ip=10.0.2.11 bcast=10.0.2.255 netmask=255.255.255.0
Opening cache file at /run/samba/gencache.tdb
sitename_fetch: No stored sitename for realm 'AD.SAMBALAB.INTERNAL'
internal_resolve_name: looking up fileserver#20 (sitename (null))
namecache_fetch: name fileserver#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 10.0.2.11 at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1,
TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0,
IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=2626560, SO_RCVBUF=131072,
SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1,
TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
cli_session_setup_spnego_send: Connect to fileserver as administrator at
AD.SAMBALAB.INTERNAL using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_gse_client_prepare_ccache: No kinit required for administrator at
AD.SAMBALAB.INTERNAL to access cifs/fileserver, FILE:/tmp/krb5cc_0
gensec_update_send: gse_krb5[0x55c48370bd50]: subreq: 0x55c4836f09c0
gensec_update_send: spnego[0x55c48370a1d0]: subreq: 0x55c48370b300
gensec_update_done: gse_krb5[0x55c48370bd50]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x55c4836f09c0/source3/librpc/crypto/gse.c:1220]: state[2] error[0
(0x0)] state[struct gensec_gse_update_state (0x55c4836f0ba0)] timer[(nil)]
finish[source3/librpc/crypto/gse.c:1231]
gensec_update_done: spnego[0x55c48370a1d0]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0x55c48370b300/auth/gensec/spnego.c:1614]: state[2] error[0 (0x0)]
state[struct gensec_spnego_update_state (0x55c48370b4e0)] timer[(nil)]
finish[auth/gensec/spnego.c:2109]
gensec_update_send: gse_krb5[0x55c48370bd50]: subreq: 0x55c4837065f0
gensec_update_send: spnego[0x55c48370a1d0]: subreq: 0x55c4837101a0
gensec_update_done: gse_krb5[0x55c48370bd50]: NT_STATUS_OK
tevent_req[0x55c4837065f0/source3/librpc/crypto/gse.c:1220]: state[2] error[0
(0x0)] state[struct gensec_gse_update_state (0x55c4837067d0)] timer[(nil)]
finish[source3/librpc/crypto/gse.c:1238]
gensec_update_done: spnego[0x55c48370a1d0]: NT_STATUS_OK
tevent_req[0x55c4837101a0/auth/gensec/spnego.c:1614]: state[2] error[0 (0x0)]
state[struct gensec_spnego_update_state (0x55c483710380)] timer[(nil)]
finish[auth/gensec/spnego.c:2109]
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
Bind RPC Pipe: host fileserver auth_type 0, auth_level 1
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0074 (116)
auth_length : 0x0000 (0)
call_id : 0x00000001 (1)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x00000000 (0)
num_contexts : 0x02 (2)
ctx_list: ARRAY(2)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid :
12345778-1234-abcd-ef00-0123456789ab
if_version : 0x00000000 (0)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid :
8a885d04-1ceb-11c9-9fe8-08002b104860
if_version : 0x00000002 (2)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0001 (1)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid :
12345778-1234-abcd-ef00-0123456789ab
if_version : 0x00000000 (0)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid :
6cb71c2c-9812-4540-0300-000000000000
if_version : 0x00000001 (1)
auth_info : DATA_BLOB length=0
rpc_api_pipe: host fileserver
rpc_read_send: data_to_read: 76
state->pkt: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND_ACK (12)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x005c (92)
auth_length : 0x0000 (0)
call_id : 0x00000001 (1)
u : union dcerpc_payload(case 12)
bind_ack: struct dcerpc_bind_ack
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x0000be20 (48672)
secondary_address_size : 0x000c (12)
secondary_address : '\pipe\lsass'
_pad1 : DATA_BLOB length=2
[0000] 00 00 ..
num_results : 0x02 (2)
ctx_list: ARRAY(2)
ctx_list: struct dcerpc_ack_ctx
result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE
(0)
reason : union dcerpc_bind_ack_reason(case
0)
value :
DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0)
syntax: struct ndr_syntax_id
uuid :
8a885d04-1ceb-11c9-9fe8-08002b104860
if_version : 0x00000002 (2)
ctx_list: struct dcerpc_ack_ctx
result :
DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK (3)
reason : union dcerpc_bind_ack_reason(case
3)
negotiate : 0x0003 (3)
1: DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING
1: DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN
syntax: struct ndr_syntax_id
uuid :
00000000-0000-0000-0000-000000000000
if_version : 0x00000000 (0)
auth_info : DATA_BLOB length=0
rpc_api_pipe_got_pdu: got frag len of 92 at offset 0: NT_STATUS_OK
rpc_api_pipe: host fileserver returned 92 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe lsarpc to machine fileserver and bound
anonymously.
lsa_OpenPolicy: struct lsa_OpenPolicy
in: struct lsa_OpenPolicy
system_name : *
system_name : 0x005c (92)
attr : *
attr: struct lsa_ObjectAttribute
len : 0x00000018 (24)
root_dir : NULL
object_name : NULL
attributes : 0x00000000 (0)
sec_desc : NULL
sec_qos : *
sec_qos: struct lsa_QosInfo
len : 0x0000000c (12)
impersonation_level :
LSA_SECURITY_IMPERSONATION (2)
context_mode : 0x01 (1)
effective_only : 0x00 (0)
access_mask : 0x20000000 (536870912)
0: LSA_POLICY_VIEW_LOCAL_INFORMATION
0: LSA_POLICY_VIEW_AUDIT_INFORMATION
0: LSA_POLICY_GET_PRIVATE_INFORMATION
0: LSA_POLICY_TRUST_ADMIN
0: LSA_POLICY_CREATE_ACCOUNT
0: LSA_POLICY_CREATE_SECRET
0: LSA_POLICY_CREATE_PRIVILEGE
0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS
0: LSA_POLICY_SET_AUDIT_REQUIREMENTS
0: LSA_POLICY_AUDIT_LOG_ADMIN
0: LSA_POLICY_SERVER_ADMIN
0: LSA_POLICY_LOOKUP_NAMES
0: LSA_POLICY_NOTIFICATION
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x0000002c (44)
context_id : 0x0000 (0)
opnum : 0x0006 (6)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host fileserver
rpc_read_send: data_to_read: 32
state->pkt: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
reserved : 0x00 (0)
stub_and_verifier : DATA_BLOB length=24
[0000] 01 00 00 00 7C C8 03 34 00 29 67 41 90 B8 EE 40 ....|..4 .)gA...@
[0010] C7 7C 94 2A 00 00 00 00 .|.*....
Got pdu len 48, data_len 24
rpc_api_pipe_got_pdu: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host fileserver returned 24 bytes.
lsa_OpenPolicy: struct lsa_OpenPolicy
out: struct lsa_OpenPolicy
handle : *
handle: struct policy_handle
handle_type : 0x00000001 (1)
uuid :
3403c87c-2900-4167-90b8-ee40c77c942a
result : NT_STATUS_OK
lsa_QueryInfoPolicy2: struct lsa_QueryInfoPolicy2
in: struct lsa_QueryInfoPolicy2
handle : *
handle: struct policy_handle
handle_type : 0x00000001 (1)
uuid :
3403c87c-2900-4167-90b8-ee40c77c942a
level : LSA_POLICY_INFO_DOMAIN (3)
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000016 (22)
context_id : 0x0000 (0)
opnum : 0x002e (46)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host fileserver
rpc_read_send: data_to_read: 16
state->pkt: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_FAULT (3)
pfc_flags : 0x03 (3)
1: DCERPC_PFC_FLAG_FIRST
1: DCERPC_PFC_FLAG_LAST
0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
0: DCERPC_PFC_FLAG_CONC_MPX
0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
0: DCERPC_PFC_FLAG_MAYBE
0: DCERPC_PFC_FLAG_OBJECT_UUID
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0020 (32)
auth_length : 0x0000 (0)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 3)
fault: struct dcerpc_fault
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
flags : 0x00 (0)
0: DCERPC_FAULT_FLAG_EXTENDED_ERROR_INFORMATION
status : DCERPC_NCA_S_OP_RNG_ERROR (469827586)
reserved : 0x00000000 (0)
error_and_verifier : DATA_BLOB length=0
source3/rpc_client/cli_pipe.c:749: RPC fault code DCERPC_NCA_S_OP_RNG_ERROR
received from host fileserver!
rpc_api_pipe_got_pdu: got frag len of 32 at offset 0:
NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
failed to lookup domain sid: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
Domain SID: (NULL SID)
O:S-1-22-1-0G:S-1-5-21-2435491250-758963225-146791338-512D:PAI(A;;FA;;;S-1-22-1-0)(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;S-1-5-21-2435491250-758963225-146791338-513)(A;OICI;FA;;;S-1-5-21-2435491250-758963225-146791338-512)
Freeing parametrics:
Rowland Penny
2025-Aug-17 12:57 UTC
[Samba] smbcacls error: failed to lookup domain sid: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
On Sun, 17 Aug 2025 11:25:37 +0200 Fabio Muzzi via samba <samba at lists.samba.org> wrote:> > I was testing Samba 4.22 (Debian 13) in a simple setup: > > - One DC (Samba) > - One fileserver (Samba) > - One client (windows 11 24h2) > > Everything works (or it seems to) from Windows, I can join the > domain, manage users, manage share permissions, access files. > > I was trying to learn how to manage permissions from Linux, and got > to try using smbcacls to do it. > > > > To make a long story short, I can use smbcacls like this without > errors > > root at fileserver:~# smbcacls //fileserver/documenti / > --use-winbind-ccache REVISION:1 > CONTROL:SR|PD|SI|DI|DP > OWNER:Unix User\root > GROUP:AD\Domain Admins > ACL:Unix User\root:ALLOWED/0x0/FULL > ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL > ACL:AD\Domain Users:ALLOWED/OI|CI/READ > ACL:AD\Domain Admins:ALLOWED/OI|CI/FULL > > > But as soon as I add the "--sddl" parameter I get an error: > > root at fileserver:~# smbcacls //fileserver/documenti / > --use-winbind-ccache --sddl source3/rpc_client/cli_pipe.c:749: RPC > fault code DCERPC_NCA_S_OP_RNG_ERROR received from host fileserver! > failed to lookup domain sid: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE > O:S-1-22-1-0G:S-1-5-21-2435491250-758963225-146791338-512D:PAI(A;;FA;;;S-1-22-1-0)(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;S-1-5-21-2435491250-758963225-146791338-513)(A;OICI;FA;;;S-1-5-21-2435491250-758963225-146791338-512) >Sorry, but I do not really have a fix for this, but I think I know what is going on. If I run your command on one of my domain joined computers, I get a similar output: smbcacls //cm4nas/nas / --use-winbind-ccache --sddl source3/rpc_client/cli_pipe.c:749: RPC fault code DCERPC_NCA_S_OP_RNG_ERROR received from host cm4nas! failed to lookup domain sid: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE O:S-1-5-21-1616340776-2573415785-2203473196-1001G:S-1-22-2-0D:(A;;FA;;;S-1-5-21-1616340776-2573415785-2203473196-1001)(A;;FA;;;S-1-5-21-627072207-2265849604-124128874-513)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD) Which perplexed me, to say the least, until I realised that 'S-1-5-21-1616340776-2573415785-2203473196' wasn't my AD domain SID, so where is it coming from ? Running 'sudo net getdomainsid' on cm4nas shows me: SID for local machine CM4NAS is: S-1-5-21-1616340776-2573415785-2203473196 SID for domain SAMDOM is: S-1-5-21-627072207-2265849604-124128874 It is the SID for the local domain on that machine, but the computers SID in AD is 'S-1-5-21-627072207-2265849604-124128874-2635', so no wonder RPC is failing, it appears to be trying to connect to CM4NAS instead of SAMDOM. There is a workaround that I have found, add another switch. smbcacls //cm4nas.samdom.example.com/nas / --use-winbind-ccache --domain-sid S-1-5-21-627072207-2265849604-124128874 --sddl O:S-1-5-21-1616340776-2573415785-2203473196-1001G:S-1-22-2-0D:(A;;FA;;;S-1-5-21-1616340776-2573415785-2203473196-1001)(A;;FA;;;DU)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD) Rowland