samba - Aug 2025 - smbcacls error: failed to lookup domain sid: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE

On Sun, 17 Aug 2025 11:25:37 +0200
Fabio Muzzi via samba <samba at lists.samba.org> wrote:
> 
> I was testing Samba 4.22 (Debian 13) in a simple setup:
> 
> - One DC (Samba)
> - One fileserver (Samba)
> - One client (windows 11 24h2)
> 
> Everything works (or it seems to) from Windows, I can join the
> domain, manage users, manage share permissions, access files.
> 
> I was trying to learn how to manage permissions from Linux, and got
> to try using smbcacls to do it.
> 
> 
> 
> To make a long story short, I can use smbcacls like this without
> errors
> 
> root at fileserver:~# smbcacls //fileserver/documenti /
> --use-winbind-ccache REVISION:1
> CONTROL:SR|PD|SI|DI|DP
> OWNER:Unix User\root
> GROUP:AD\Domain Admins
> ACL:Unix User\root:ALLOWED/0x0/FULL
> ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL
> ACL:AD\Domain Users:ALLOWED/OI|CI/READ
> ACL:AD\Domain Admins:ALLOWED/OI|CI/FULL
> 
> 
> But as soon as I add the "--sddl" parameter I get an error:
> 
> root at fileserver:~# smbcacls //fileserver/documenti /
> --use-winbind-ccache --sddl source3/rpc_client/cli_pipe.c:749: RPC
> fault code DCERPC_NCA_S_OP_RNG_ERROR received from host fileserver!
> failed to lookup domain sid: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
>
O:S-1-22-1-0G:S-1-5-21-2435491250-758963225-146791338-512D:PAI(A;;FA;;;S-1-22-1-0)(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;S-1-5-21-2435491250-758963225-146791338-513)(A;OICI;FA;;;S-1-5-21-2435491250-758963225-146791338-512)
> 
Sorry, but I do not really have a fix for this, but I think I know what
is going on.

If I run your command on one of my domain joined computers, I get a
similar output:

smbcacls //cm4nas/nas / --use-winbind-ccache --sddl
source3/rpc_client/cli_pipe.c:749: RPC fault code DCERPC_NCA_S_OP_RNG_ERROR
received from host cm4nas!
failed to lookup domain sid: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
O:S-1-5-21-1616340776-2573415785-2203473196-1001G:S-1-22-2-0D:(A;;FA;;;S-1-5-21-1616340776-2573415785-2203473196-1001)(A;;FA;;;S-1-5-21-627072207-2265849604-124128874-513)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD)

Which perplexed me, to say the least, until I realised that
'S-1-5-21-1616340776-2573415785-2203473196' wasn't my AD domain SID,
so
where is it coming from ?

Running 'sudo net getdomainsid' on cm4nas shows me:

SID for local machine CM4NAS is: S-1-5-21-1616340776-2573415785-2203473196
SID for domain SAMDOM is: S-1-5-21-627072207-2265849604-124128874

It is the SID for the local domain on that machine, but the computers
SID in AD is 'S-1-5-21-627072207-2265849604-124128874-2635', so no
wonder RPC is failing, it appears to be trying to connect to CM4NAS
instead of SAMDOM.

There is a workaround that I have found, add another switch.

smbcacls //cm4nas.samdom.example.com/nas / --use-winbind-ccache --domain-sid
S-1-5-21-627072207-2265849604-124128874 --sddl
O:S-1-5-21-1616340776-2573415785-2203473196-1001G:S-1-22-2-0D:(A;;FA;;;S-1-5-21-1616340776-2573415785-2203473196-1001)(A;;FA;;;DU)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD)

Rowland

On 17/08/2025 14.57, Rowland Penny via samba wrote:
> On Sun, 17 Aug 2025 11:25:37 +0200
> Fabio Muzzi via samba <samba at lists.samba.org> wrote:
> 
>>
>> I was testing Samba 4.22 (Debian 13) in a simple setup:
>>
>> - One DC (Samba)
>> - One fileserver (Samba)
>> - One client (windows 11 24h2)
>>
>> Everything works (or it seems to) from Windows, I can join the
>> domain, manage users, manage share permissions, access files.
>>
>> I was trying to learn how to manage permissions from Linux, and got
>> to try using smbcacls to do it.
>>
>>
>>
>> To make a long story short, I can use smbcacls like this without
>> errors
>>
>> root at fileserver:~# smbcacls //fileserver/documenti /
>> --use-winbind-ccache REVISION:1
>> CONTROL:SR|PD|SI|DI|DP
>> OWNER:Unix User\root
>> GROUP:AD\Domain Admins
>> ACL:Unix User\root:ALLOWED/0x0/FULL
>> ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL
>> ACL:AD\Domain Users:ALLOWED/OI|CI/READ
>> ACL:AD\Domain Admins:ALLOWED/OI|CI/FULL
>>
>>
>> But as soon as I add the "--sddl" parameter I get an error:
>>
>> root at fileserver:~# smbcacls //fileserver/documenti /
>> --use-winbind-ccache --sddl source3/rpc_client/cli_pipe.c:749: RPC
>> fault code DCERPC_NCA_S_OP_RNG_ERROR received from host fileserver!
>> failed to lookup domain sid: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
>>
O:S-1-22-1-0G:S-1-5-21-2435491250-758963225-146791338-512D:PAI(A;;FA;;;S-1-22-1-0)(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;S-1-5-21-2435491250-758963225-146791338-513)(A;OICI;FA;;;S-1-5-21-2435491250-758963225-146791338-512)
>>
> 
> Sorry, but I do not really have a fix for this, but I think I know what
> is going on.
> 
> If I run your command on one of my domain joined computers, I get a
> similar output:
> 
> smbcacls //cm4nas/nas / --use-winbind-ccache --sddl
> source3/rpc_client/cli_pipe.c:749: RPC fault code DCERPC_NCA_S_OP_RNG_ERROR
received from host cm4nas!
> failed to lookup domain sid: NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
>
O:S-1-5-21-1616340776-2573415785-2203473196-1001G:S-1-22-2-0D:(A;;FA;;;S-1-5-21-1616340776-2573415785-2203473196-1001)(A;;FA;;;S-1-5-21-627072207-2265849604-124128874-513)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD)
> 
> Which perplexed me, to say the least, until I realised that
> 'S-1-5-21-1616340776-2573415785-2203473196' wasn't my AD domain
SID, so
> where is it coming from ?
> 
> Running 'sudo net getdomainsid' on cm4nas shows me:
> 
> SID for local machine CM4NAS is: S-1-5-21-1616340776-2573415785-2203473196
> SID for domain SAMDOM is: S-1-5-21-627072207-2265849604-124128874
> 
> It is the SID for the local domain on that machine, but the computers
> SID in AD is 'S-1-5-21-627072207-2265849604-124128874-2635', so no
> wonder RPC is failing, it appears to be trying to connect to CM4NAS
> instead of SAMDOM.
> 
> There is a workaround that I have found, add another switch.
> 
> smbcacls //cm4nas.samdom.example.com/nas / --use-winbind-ccache
--domain-sid S-1-5-21-627072207-2265849604-124128874 --sddl
>
O:S-1-5-21-1616340776-2573415785-2203473196-1001G:S-1-22-2-0D:(A;;FA;;;S-1-5-21-1616340776-2573415785-2203473196-1001)(A;;FA;;;DU)(A;;0x1200a9;;;S-1-22-2-0)(A;;0x1200a9;;;WD)(A;OICIIO;FA;;;CO)(A;OICIIO;0x1200a9;;;CG)(A;OICIIO;0x1200a9;;;WD)
> 
> Rowland
> 

Thanks for your answer.

Having read about your wrong SID, I checked mine, and on my system it behaves in
a different way:

root at fileserver:~# net getdomainsid
SID for local machine FILESERVER is: S-1-5-21-189810856-3757322669-623707499
SID for domain AD is: S-1-5-21-2435491250-758963225-146791338

These are the SIDs for the file server and the domain.

When I run  smbcacls //fileserver/documenti /share1  --use-winbind-ccache --sddl
it indeed tries to get the SID from the fileserver and not from the DC, it even
says it the error:

source3/rpc_client/cli_pipe.c:749: RPC fault code DCERPC_NCA_S_OP_RNG_ERROR
received from host fileserver!

"Received from host FILESERVER" it says.

But, while you said that the SID that you get back is the one of your file
server (CM4NAS) and not the one of your domain, in my case the SID I get back is
indeed the one for the domain (ending in 1338)

O:S-1-5-21-2435491250-758963225-146791338-500G:S-1-5-21-2435491250-758963225-146791338-513D:PAI(A;OICI;FA;;;S-1-5-21-2435491250-758963225-146791338-512)(A;OICI;0x1601ff;;;S-1-5-21-2435491250-758963225-146791338-1108)

So my behavior is different from yours.

Anyway your suggested workaround works, if I specify the domain SID in the
command line I get the right output.

root at fileserver:~# smbcacls //fileserver/documenti /share1 
--use-winbind-ccache --sddl --domain-sid S-1-5-21-2435491250-758963225-146791338
O:LAG:DUD:PAI(A;OICI;FA;;;DA)(A;OICI;0x1601ff;;;S-1-5-21-2435491250-758963225-146791338-1108)


PS: It's not such an issue really, I just wanted to be sure that this was
not a sign of something broken in my domain.

Thanks


-- 
Fabio Muzzi Frabetti

  Consulenza informatica
  Sistemi Linux - Sicurezza informatica - Sistemi VoIP