We only need security.SEC_STD_READ_CONTROL in order to get the ACL. We should avoid security.SEC_FLAG_MAXIMUM_ALLOWED otherwise we may get NT_STATUS_SHARING_VIOLATION when we run 'samba-tool domain backup online' against a Windows DC. Windows DCs have hidden folders for the NtFrs or Dfsr services, which are locked by the running service.
Fixed in master with 15032ec6df1abbb53f1b1d5377aab369f83ae707 for Samba 4.11 Leaving open for a backport to 4.10
Created attachment 15211 [details] patch backported from master
Comment on attachment 15211 [details] patch backported from master This is for 4.9 and 4.10
Pushed to autobuild-v4-{10,9}-test.
(In reply to Karolin Seeger from comment #4) Pushed to both branches. Closing out bug report. Thanks!