OU permission delegation for User/InetOrgPerson objects

Ted Salmon tass2001 at hotmail.com
Tue Aug 2 21:25:41 MDT 2011


I am currently running Samba 4.0.0alpha15-UNKNOWN in Ubuntu and Samba 4.0.0alpha17-GIT-3ce1894 in Slackware 13.37. Both OSs have their drives mounted with ACL and user_xattr params. The issue is as follows. I created a Security group and named it 'IT' and created a user called 'IT User' and added it to the IT group. I then delegated control over an OU from the Administrator account using Microsoft RSAT and gave the 'IT' group permissions to read/write all attributes, set passwords and create/delete user account objects. I then loaded RSAT as a 'IT User' and tried to create a user object and got the following error: http://i52.tinypic.com/zyfqkl.png  on both versions of Samba 4.0. I then went back and delegated "Full Control" over all objects to 'IT User' and was successfully able to add a user to that OU however that user had the ability to create any object in that OU (not something I want). Am I missing something or has this feature not been fine tuned just yet?


More information about the samba-technical mailing list