Mapping the "Domain Admins" group to a gidNumber in a rfc2307-provisioned domain breaks the `samba-tool ntacl sysvolcheck` command. Steps to reproduce: 1. Provision a new domain with "--use-rfc2307" 2. Map "Administrator" to uidNumber 10000 (ldbedit -H /var/lib/samba/private/sam.ldb) 3. Map "Domain Admis" to any gidNumber (such as 10000) 3. net cache flush 4. systemctl restart samba-ad-dc 5. "samba-tool ntacl sysvolcheck" fails: ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/lab.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01f f;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x0 01f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1621, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) -> sysvolreset remains functional and the "sysvol" is working as expected. This is the ACL after a sysvolreset: # file: var/lib/samba/sysvol/ # owner: 10000 # group: 3000000 user::rwx user:10000:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:10000:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- And FYI, this is the smb.conf (default): [global] netbios name = DC1 realm = LAB.LAN server role = active directory domain controller workgroup = LAB idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/lab.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No This is with Samba 4.7.4 on Debian Buster.
*** This bug has been marked as a duplicate of bug 9483 ***