Bug 54360 – Traceback in samba-tool dbcheck --reset-well-known-acls

Bug 54360 - Traceback in samba-tool dbcheck --reset-well-known-acls


Summary:	Traceback in samba-tool dbcheck --reset-well-known-acls

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-01-19 16:33 CET by Daniel Duchon
Modified:	2023-12-13 13:12 CET (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.069
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022011921000338, 2023120421000031
Bug group (optional):
Max CVSS v3 score:

Attachments
bug54360.patch (1.01 KB, patch) 2022-02-03 10:59 CET, Arvid Requate	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Duchon

2022-01-19 16:33:27 CET

In a standard UCS environment, the user group "DnsAdmins" is created by default in CN=Groups,dc=example,dc=com.
Samba (and also Windows) expects this group in CN=Groups,dc=example,dc=com.


This causes the samba-tool dbcheck --reset-well-known-acls command to fail:

Checking 227 objects
Unknown sddl sid code 'Dn'
ERROR(<class 'TypeError'>): uncaught exception - Unable to parse SDDL
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/dbcheck.py", line 173, in run
    controls=controls, attrs=attrs)
  File "/usr/lib/python3/dist-packages/samba/dbchecker.py", line 260, in check_database
    error_count += self.check_object(object.dn, attrs=attrs)
  File "/usr/lib/python3/dist-packages/samba/dbchecker.py", line 2489, in check_object
    well_known_sd = self.get_wellknown_sd(dn)
  File "/usr/lib/python3/dist-packages/samba/dbchecker.py", line 2313, in get_wellknown_sd
    name_map=self.name_map))
  File "/usr/lib/python3/dist-packages/samba/descriptor.py", line 394, in get_dns_domain_microsoft_dns_descriptor
    return sddl2binary(sddl, domain_sid, name_map)
  File "/usr/lib/python3/dist-packages/samba/descriptor.py", line 44, in sddl2binary
    sec = security.descriptor.from_sddl(sddl, domain_sid)

Comment 1 Markus Dählmann 2022-02-02 17:43:14 CET

Correction: In a standard Active Directory, the "cn=DnsAdmins" group lives in "CN=Users,dc=example,dc=com".
And that path is unfortunately hardcoded in samba-tool's "dbchecker.py", which leads to the mentioned traceback when run with "--reset-well-known-acls" on a UCS system .

Comment 2 Arvid Requate

2022-02-03 10:59:53 CET

Created attachment 10911 [details]
bug54360.patch

Thanks for reporting. I never used the "--reset-well-known-acls" until now.
If you have more information regarding your use case, feel free to contact me via email, sounds interesting.

The attached patch fixed the problem for me (I developed it on a VM by just editing /usr/lib/python3/dist-packages/samba/dbchecker.py). I made it more generic, so the group can be positioned anywhere. Maybe we should limit it to a "domain scope" search.

Comment 3 Christina Scheinig

2023-12-13 13:12:39 CET

Also happening with 5.0-0
The customer will need the default acls on his environment to use citrix. The well-known-acls changed during the course of time, but we do not update domain level and acls by default update process.