Bug 9786 - samba-tool dbcheck --reset-well-known-acls needs multiple runs to fix all
Summary: samba-tool dbcheck --reset-well-known-acls needs multiple runs to fix all
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.5
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 11924
  Show dependency treegraph
 
Reported: 2013-04-11 12:14 UTC by Marc Muehlfeld
Modified: 2022-08-11 03:28 UTC (History)
0 users

See Also:

Attachments
Output of the three runs of samba-tool dbcheck (57.52 KB, text/plain)
2013-04-11 12:14 UTC, Marc Muehlfeld 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2013-04-11 12:14:28 UTC 
Created attachment 8758 [details]
Output of the three runs of samba-tool dbcheck

I have delegated the CN=Computer container to a group, so members of it can join computers to the domain.

If I switch to 4.0.5 and then run the command
# samba-tool dbcheck --reset-well-known-acls --fix
it fixes many entries. After that, I still see this group on the CN=Computer container in ADUC, but members aren't able to join machines any more to the domain (access denied).

If I run the command for the second time, again three fixes were done (one on CN=Computer again). Now the group was completely removed from the container (and of course can't join with members any more).

If I run the command a third time, it says that nothing is to fix.

Shouldn't be everything fixed at once?
Comment 1 Douglas Bagnall 2022-08-11 03:28:14 UTC 
I'm going to WONTFIX this, because it only matters for upgrading from early 4.0.x, and the workaround of multiple runs seems to work (as per the report).

We're not going to fix it. Thanks nonetheless.