Every time I try to delegate a new or existing GPO to deny a user/group access, the GPO shows errors such as:
The security identification structure is invalid.
The Enterprise Domain Controllers group does not have read rights for this GPO. The Enterprise Domain Controllers group needs to have read rights on all GPOs in the domain for Group Policy Modeling to function correctly.
After that, I can’t use the GPO unless I delete and recreate it, but without trying to delegate permissions to deny permissions to a user or group.
I performed a check mentioned by user @fdavid, which was passed on to me by @scheinig, and tried to locate .NTACL, but there were no records on my server.
And performing a backup with:
samba-tool domain backup offline --targetdir=/var/univention-backup/samba
The same occurs successfully.
Hi agustavo,
thanks for the post. I could reproduce this in my testenvironment. So something seems to get wrong setting the ntsecuritydescriptor in samba, because this looks crappy after that:
root@dc01:~# ldbsearch -H /var/lib/samba/private/sam.ldb cn="{412030CA-2055-47AE-9501-33DE8CF8EF4A}" nTSecurityDescriptor
# record 1
dn: CN={412030CA-2055-47AE-9501-33DE8CF8EF4A},CN=Policies,CN=System,DC=schein,DC=me
nTSecurityDescriptor: O:DAG:DAD:PAR(OD;;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f93
9;;S-1-5-21-2716793320-1465740630-2076794319-1118)(A;;;;;S-0-0)(A;;;;;S-0-0)(
A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;LCRPLORC;;;AU)(A;;LCRPRC;;;S-1-5-2
1-2716793320-1465740630-2076794319-1118)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(
A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)S:AI(O
U;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00
aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0
de6-11d0-a285-00aa003049e2;WD)
So these entries (A;;;;;S-0-0)(A;;;;;S-0-0) seems to be malformed.
When I remove them via ldbedit, the error message is gone, but that’s not really a user-friendly solution.
So if you want to give it a try manually:
Please use your GPO Signature ID
ldbedit -H /var/lib/samba/private/sam.ldb cn="{412030CA-2055-47AE-9501-33DE8CF8EF4A}" nTSecurityDescriptor
Now you have to manually remove (A;;;;;S-0-0)(A;;;;;S-0-0)
THe editor should be vim, so you can move the cursor on these characters and press “x” several time until these (A;;;;;S-0-0)(A;;;;;S-0-0) is removed. Make sure not to leave spaces. “:wq” should complete the modification:
"/tmp/ldbedit.70oxPX" 10L, 503B geschrieben
# 0 adds 1 modifies 0 deletes
And now try to open the delegation again.
I created Bug 59142 for this (only accessable if you are logged in in Bugzilla)
1 Like
Thank you very much for your help.
I tested it here in my environment and it worked, the error manager stopped being displayed. But if I edit the delegation again, the error occurs again, but even with the correction, the error message continues to appear. Hopefully, we will have a fix soon. Thank you very much for your help.
Hi,
yesterday we released a fix regarding the problem. So with errata 406 (UCS5.2) the issue should be solved.
https://errata.software-univention.de/#/?erratum=5.2x406
1 Like
I updated the UCS, and after testing, the tool is working correctly again. Thank you very much.
