Bug 9786 – samba-tool dbcheck --reset-well-known-acls needs multiple runs to fix all

Bug 9786 - samba-tool dbcheck --reset-well-known-acls needs multiple runs to fix all


Summary:	samba-tool dbcheck --reset-well-known-acls needs multiple runs to fix all

Status:	NEW

Product:	Samba 4.0
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB
Version:	4.0.5
Hardware:	x64 Linux

Importance:	P5 normal
Target Milestone:	---
Assigned To:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	11924
	Show dependency tree / graph

Reported:	2013-04-11 12:14 UTC by Marc Muehlfeld
Modified:	2016-06-07 16:12 UTC (History)
CC List:	0 users

See Also:

Attachments
Output of the three runs of samba-tool dbcheck (57.52 KB, text/plain) 2013-04-11 12:14 UTC, Marc Muehlfeld	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marc Muehlfeld 2013-04-11 12:14:28 UTC

Created attachment 8758 [details]
Output of the three runs of samba-tool dbcheck

I have delegated the CN=Computer container to a group, so members of it can join computers to the domain.

If I switch to 4.0.5 and then run the command
# samba-tool dbcheck --reset-well-known-acls --fix
it fixes many entries. After that, I still see this group on the CN=Computer container in ADUC, but members aren't able to join machines any more to the domain (access denied).

If I run the command for the second time, again three fixes were done (one on CN=Computer again). Now the group was completely removed from the container (and of course can't join with members any more).

If I run the command a third time, it says that nothing is to fix.

Shouldn't be everything fixed at once?