While inheriting ACEs from a parent AD object to a child object, we need to check is generic rights and/or special sids e.g. Creator Owner need to be expanded. In AD DS ACLs we can have ACEs, which apply only to specific Attributes/PropertySets(a group of attributes) and/or to specific object classes. Using adprep 2016 means each object inherits an ACE for Creator Owner from the Domain object, but this ACE should only apply to computer objects. But we clear the INTERHIT_ONLY flag and expand the Creator Owner SID on all objects. This was found be a check in dbcheck, which is supposed to fix a similar problem we had in the past.
This bug was referenced in samba master: 7b0d5285361e6dc40e09bc0d36bb2aae5d5a86a7 e0a8e043d339cf5e1c9b2643e6d151ab2ae81c05 2436d621d1940f127f164ca227a14b1d9b573eb5 6de4849f9cacbe7e08834fa340a70f7aebe9e6f9 731c85add116b8ab192d9a2d3bc56296635a226d a0217c50e920557046628bb171f2addea2ad7416 bb09c06d6d58a04e1d270a9f99d1179cfa9acbda
Created attachment 17860 [details] Patches for v4-18-test
Created attachment 17861 [details] Patch for v4-17-test (without tests)
Comment on attachment 17860 [details] Patches for v4-18-test Tests now fail with: Exception: Exception: Traceback (most recent call last): File "/data/samba/source4/dsdb/tests/python/sec_descriptor.py", line 195, in setUp self.deleteAll() File "/data/samba/source4/dsdb/tests/python/sec_descriptor.py", line 187, in deleteAll self.sd_utils.dacl_delete_aces(self.schema_dn, mod) AttributeError: 'SDUtils' object has no attribute 'dacl_delete_aces' I think this depends on some of the commits from https://gitlab.com/samba-team/samba/-/merge_requests/2983.
Created attachment 17874 [details] Patch for v4-18-test (without tests)
Created attachment 17875 [details] Patch for v4-17-test (without tests)
(In reply to Joseph Sutton from comment #4) I think it's easier to also skip the tests for 4.18
Pushed to autobuild-v4-{18,17}-test.
This bug was referenced in samba v4-18-test: 2a20fbdbd7860582f332d8e38dbca2446e2bf0fa
This bug was referenced in samba v4-17-test: 65168f33f95906b2c9fb38465c8ab2e799d3942d
Closing out bug report. Thanks!
This bug was referenced in samba v4-17-stable (Release samba-4.17.8): 65168f33f95906b2c9fb38465c8ab2e799d3942d
This bug was referenced in samba v4-18-stable (Release samba-4.18.3): 2a20fbdbd7860582f332d8e38dbca2446e2bf0fa