When replicating between DC, I've hit a few times on different domains a blocking replication issue related to incorrect security descriptor (still there in 4.4.4). When replicating an object, one may get the error below "ldb: descriptor_modify: Could not find SD for". Note : the DN mentionned here is actually the PARENT of the entry being replicated at that moment. Most of the time, you can get around moving the entry, deleting the parent object and recreate it, and put the entry back into the OU, or in the case of GPO, exporting and recreating. An extreme way of resolving is to re-import all the But it is not very convenient and not satisfactory. The problem seems to be related to SD inheritance calculation (disabling inheritence on the entry bypass the issue). I am not sure if the bug that creates that issue is still in master, but it was at least in 4.3.0. And I have no clue on what trigger this issue either (sorry for the loosy bug report). The only place I can see the "descriptor_modify: Could not find SD for" is in ./source4/dsdb/samdb/ldb_modules/descriptor.c line 779. I'll be glad to give anymore information, and a sample of the SD hierarchy if someone is interested to dive into this one. [2016/04/18 16:06:16.998291, 6] ../libcli/security/create_descriptor.c:256(process_user_acl) ../libcli/security/create_descriptor.c:256: acl revision 4 [2016/04/18 16:06:16.998358, 6] ../libcli/security/create_descriptor.c:256(process_user_acl) ../libcli/security/create_descriptor.c:256: acl revision 4 [2016/04/18 16:06:16.998844, 1] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug) ldb: descriptor_modify: Could not find SD for CN={945CAECE-A8E6-4A95-B573-F3C98259425D},CN=Policies,CN=System,DC=domaine,DC=fr [2016/04/18 16:06:16.999808, 0] ../source4/dsdb/repl/replicated_objects.c:818(dsdb_replicated_objects_commit) ../source4/dsdb/repl/replicated_objects.c:818 Failed to prepare commit of transaction: operations error at ../source4/dsdb/samdb/ldb_modules/descriptor.c:1147 [2016/04/18 16:06:17.001556, 0] ../source4/dsdb/repl/drepl_out_helpers.c:773(dreplsrv_op_pull_source_apply_changes_trigger) Failed to commit objects: WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
Checking on master would be a big help, due to the things we have recently fixed in replication, particularly in strictly enforcing object paternity.
Created attachment 12267 [details] diagnostic patch Running with this patch may give better information.
Any news on what the underlying error is, using my patch?
This bug looks entirely due to the missing parent issues we sorted out a while back. Without the parent, it just wouldn't be able to recursively calculate security-descriptor.