With samba 4.8.2 (debian unstable) samba-tool gpo aclcheck always fails with the following error:
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, in run
ds_sd_ndr = m['nTSecurityDescriptor']
This is reported in debian BTS since 2014, so that's not new https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742182
Dup of bug #11613, please close.
Are you sure?
I was able to reproduce this in 4.8.2, while it seems that bug #11613 was fixed in 4.3-4.4
This is still seen on 4.8.9, i've just update my DC now to 4.9.4 and checked both.
Samba 4.8.9 and 4.9.4 still have this bug.
And in my optioniont his is not a duplicate, there is some work going on at the moment on GPO and acls.
After this commit (4.11+, I'd guess):
the traceback will be gone, and you'll see instead:
ERROR: Could not read nTSecurityDescriptor. This requires an Administrator account
Now, whether there's an underlying issue (i.e. admin lacks an nTSecurityDescriptor) that this misses, I don't know, due to the lack of information.