First Last Prev Next    This bug is not in your last search results.
Bug 50635 - reset well known ACL after takeover
reset well known ACL after takeover
Status: NEW
Product: UCS
Classification: Unclassified
Component: AD Takeover
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on: 37624
Blocks:
  Show dependency treegraph
 
Reported: 2019-12-12 22:05 CET by Nico Stöckigt
Modified: 2019-12-12 22:21 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.046
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019121121000249
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2019-12-12 22:05:26 CET 
+++ This bug was initially created as a clone of Bug #37624 +++

Samba 4 doesn't currently honor all variants of ACLs for LDAP objects that AD supports and one can't set them using the samba-tools or AD Tools. However the AD-takeover copies unsupported ACLs over from the Windows DC. In most cases these are then ignored, however if there are ACLs set on well known containers, Samba might not work correctly.

To fix it one can simply call 
samba-tool dbcheck --yes --fix --reset-well-known-acls

it might make sense to test the output of "samba-tool dbcheck" for the string "nTSecurityDescriptor" and call the above command if the error was detected.
Comment 1 Arvid Requate univentionstaff 2019-12-12 22:21:31 CET 
Bug 37624 Comment 2:

> I propose to simply add the switch "--reset-well-known-acls".
First Last Prev Next    This bug is not in your last search results.