Univention Bugzilla – Bug 50635
reset well known ACL after takeover
Last modified: 2019-12-12 22:21:31 CET
+++ This bug was initially created as a clone of Bug #37624 +++ Samba 4 doesn't currently honor all variants of ACLs for LDAP objects that AD supports and one can't set them using the samba-tools or AD Tools. However the AD-takeover copies unsupported ACLs over from the Windows DC. In most cases these are then ignored, however if there are ACLs set on well known containers, Samba might not work correctly. To fix it one can simply call samba-tool dbcheck --yes --fix --reset-well-known-acls it might make sense to test the output of "samba-tool dbcheck" for the string "nTSecurityDescriptor" and call the above command if the error was detected.
Bug 37624 Comment 2: > I propose to simply add the switch "--reset-well-known-acls".