Hello, I was playing around with permissions on the directory in my test environment and saw the following: In ADUC I added a group (account operators) to the security tab of the container CN=System (default permissions read). Then I run # samba-tool dbcheck --reset-well-known-acls --fix Checking 867 objects Reset nTSecurityDescriptor on CN=System,DC=muc,DC=medizinische-genetik,DC=de back to provision default? Part dacl is different between reference and current here is the detail: (A;;RPLCRC;;;AO) ACE is not present in the reference [y/N/all/none] y Fixed attribute 'nTSecurityDescriptor' of 'CN=System,DC=muc,DC=medizinische-genetik,DC=de' Checked 867 objects (1 errors) This is correct. On CN=System is something that isn't default and I let samba-tool fix it to reset to it's original state. In ADUC, the group I had added is gone now. Also correct. But now I add the same group, but just to CN=RpcServices,CN=System. Now dbcheck finds nothing to reset: # samba-tool dbcheck --reset-well-known-acls --fix Checking 867 objects Checked 867 objects (0 errors) I have no way to get back to the initial state if I don't remember what changes I made in that subtree.
Changes that are detected by 'reset-well-known-acls' and can be resetted to their defaults are on the following containers: - All self created OUs - Users - Computers - Builtin - Domain Controllers Not detected are ACL changes on (and below) - ForeignSecurityPrincipals - LostAndFound - Program Data - System - NTDS Quotas
Correct, this tool was only designed to correct the situation where the wrong ACL was applied by default to releases before 4.0.4. We reset the ACLs that are initialised as specific values on specific distinguished names, but we don't reset ACLs that default from the schema. The samba_upgradeprovision code has code to do this, and indeed the reason I started to mistrust it was that it was doing so by default, due to an error detecting the Samba versions.
I'm sorry. Then I misunderstood the parameter. Thanks for clarifying. I interpreted the --help, that it will reset all ACLs back to default, expecially, because changes I made (like delegations) are also removed. Maybe you can add some more information to the --help output, to make it more clear or add this parameter with your description to the 'samba-tool' man-page.
This bug was referenced in samba master: 6b1b5eade2ff32200ad4c543dfb1543d5bd897ef