Univention Bugzilla – Bug 54360
Traceback in samba-tool dbcheck --reset-well-known-acls
Last modified: 2023-12-13 13:12:39 CET
In a standard UCS environment, the user group "DnsAdmins" is created by default in CN=Groups,dc=example,dc=com. Samba (and also Windows) expects this group in CN=Groups,dc=example,dc=com. This causes the samba-tool dbcheck --reset-well-known-acls command to fail: Checking 227 objects Unknown sddl sid code 'Dn' ERROR(<class 'TypeError'>): uncaught exception - Unable to parse SDDL File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/dbcheck.py", line 173, in run controls=controls, attrs=attrs) File "/usr/lib/python3/dist-packages/samba/dbchecker.py", line 260, in check_database error_count += self.check_object(object.dn, attrs=attrs) File "/usr/lib/python3/dist-packages/samba/dbchecker.py", line 2489, in check_object well_known_sd = self.get_wellknown_sd(dn) File "/usr/lib/python3/dist-packages/samba/dbchecker.py", line 2313, in get_wellknown_sd name_map=self.name_map)) File "/usr/lib/python3/dist-packages/samba/descriptor.py", line 394, in get_dns_domain_microsoft_dns_descriptor return sddl2binary(sddl, domain_sid, name_map) File "/usr/lib/python3/dist-packages/samba/descriptor.py", line 44, in sddl2binary sec = security.descriptor.from_sddl(sddl, domain_sid)
Correction: In a standard Active Directory, the "cn=DnsAdmins" group lives in "CN=Users,dc=example,dc=com". And that path is unfortunately hardcoded in samba-tool's "dbchecker.py", which leads to the mentioned traceback when run with "--reset-well-known-acls" on a UCS system .
Created attachment 10911 [details] bug54360.patch Thanks for reporting. I never used the "--reset-well-known-acls" until now. If you have more information regarding your use case, feel free to contact me via email, sounds interesting. The attached patch fixed the problem for me (I developed it on a VM by just editing /usr/lib/python3/dist-packages/samba/dbchecker.py). I made it more generic, so the group can be positioned anywhere. Maybe we should limit it to a "domain scope" search.
Also happening with 5.0-0 The customer will need the default acls on his environment to use citrix. The well-known-acls changed during the course of time, but we do not update domain level and acls by default update process.