Bug 13530 - samba-tool gpo aclcheck always fails
Summary: samba-tool gpo aclcheck always fails
Status: NEEDINFO
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.8.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-14 13:17 UTC by Laurent Bigonville
Modified: 2022-09-08 04:05 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Laurent Bigonville 2018-07-14 13:17:12 UTC
Hi,

With samba 4.8.2 (debian unstable) samba-tool gpo aclcheck always fails with the following error:

ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, in run
    ds_sd_ndr = m['nTSecurityDescriptor'][0]


This is reported in debian BTS since 2014, so that's not new https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742182
Comment 1 Mathieu Parent 2019-02-26 21:45:25 UTC
Dup of bug #11613, please close.
Comment 2 Laurent Bigonville 2019-02-27 07:55:36 UTC
Hello,

Are you sure?

I was able to reproduce this in 4.8.2, while it seems that bug #11613 was fixed in 4.3-4.4
Comment 3 Louis 2019-02-27 13:15:03 UTC
This is still seen on 4.8.9, i've just update my DC now to 4.9.4 and checked both. 
Samba 4.8.9 and 4.9.4 still have this bug. 

And in my optioniont his is not a duplicate, there is some work going on at the moment on GPO and acls.
Comment 4 Douglas Bagnall 2022-09-08 04:05:29 UTC
After this commit (4.11+, I'd guess):

https://gitlab.com/samba-team/samba/-/commit/5bfad1b2b08031b99834c9ca39c1900d52c8eb0d

the traceback will be gone, and you'll see instead:

ERROR: Could not read nTSecurityDescriptor. This requires an Administrator account

Now, whether there's an underlying issue (i.e. admin lacks an nTSecurityDescriptor) that this misses, I don't know, due to the lack of information.