Re: OU permission delegation for User/InetOrgPerson objects

Matthieu Patou mat at
Tue Aug 2 23:31:22 MDT 2011

I guess we have a bug.
Can you check that doing so with a windows dc works. And if so file a bug.

Matthieu Patou

----- Reply message -----
From: "Ted Salmon" <tass2001 at>
To: <samba-technical at>
Subject: OU permission delegation for User/InetOrgPerson objects
Date: Wed, Aug 3, 2011 07:25


I am currently running Samba 4.0.0alpha15-UNKNOWN in Ubuntu and Samba 4.0.0alpha17-GIT-3ce1894 in Slackware 13.37. Both OSs have their drives mounted with ACL and user_xattr params. The issue is as follows. I created a Security group and named it 'IT' and created a user called 'IT User' and added it to the IT group. I then delegated control over an OU from the Administrator account using Microsoft RSAT and gave the 'IT' group permissions to read/write all attributes, set passwords and create/delete user account objects. I then loaded RSAT as a 'IT User' and tried to create a user object and got the following error:  on both versions of Samba 4.0. I then went back and delegated "Full Control" over all objects to 'IT User' and was successfully able to add a user to that OU however that user had the ability to create any object in that OU (not something I want). Am I missing something or has this feature not been fine tuned just yet?


More information about the samba-technical mailing list