Created attachment 8758 [details] Output of the three runs of samba-tool dbcheck I have delegated the CN=Computer container to a group, so members of it can join computers to the domain. If I switch to 4.0.5 and then run the command # samba-tool dbcheck --reset-well-known-acls --fix it fixes many entries. After that, I still see this group on the CN=Computer container in ADUC, but members aren't able to join machines any more to the domain (access denied). If I run the command for the second time, again three fixes were done (one on CN=Computer again). Now the group was completely removed from the container (and of course can't join with members any more). If I run the command a third time, it says that nothing is to fix. Shouldn't be everything fixed at once?
I'm going to WONTFIX this, because it only matters for upgrading from early 4.0.x, and the workaround of multiple runs seems to work (as per the report). We're not going to fix it. Thanks nonetheless.