This is related to 9278, where the wrong value for sd_change control is passed to samdb with an ACL which only has DACL the last for bits are set to 0 so the samdb thinks that all the SD has to be changed which is not the case but could be an acceptable error if the db would reject any malformed SD. To my understanding SD must have a owner, group, dacl and maybe sacl is optional. In a nutshell we should check that the SD is valid if we are about to replace the whole SD.
We validate the sd before writting it, see SdFlagsDescriptorTests in source4/dsdb/tests/python/sec_descriptor.py. It seems the bug #9278 is invalid. Mattieu, do you still think we have a problem?
Can't reproduce, the only problem I have now is that if you specify no owner and group in the attribute but specify flags with bits 0 & 1 set then user and group are set to some default value. I have to check how windows behave in this case. In any case it seems not to be a blocker for 8622.