OU permission delegation for User/InetOrgPerson objects

[Ted Salmon]

I was able to get delegation working on a win2k3 DC just as I have attempted with Samba4.0. I'll be submitting a bug.

Thanks guys!

To: tass2001 at hotmail.com; samba-technical at lists.samba.org
From: mat at matws.net
Subject: Re: OU permission delegation for User/InetOrgPerson objects
Date: Wed, 3 Aug 2011 09:31:22 +0400

I guess we have a bug.
Can you check that doing so with a windows dc works. And if so file a bug.

Matthieu Patou

----- Reply message -----
From: "Ted Salmon" <tass2001 at hotmail.com>
To: <samba-technical at lists.samba.org>
Subject: OU permission delegation for User/InetOrgPerson objects
Date: Wed, Aug 3, 2011 07:25



Hello,

I am currently running Samba 4.0.0alpha15-UNKNOWN in Ubuntu and Samba 4.0.0alpha17-GIT-3ce1894 in Slackware 13.37. Both OSs have their drives mounted with ACL and user_xattr params. The issue is as follows. I created a Security group and named it 'IT' and created a user called 'IT User' and added it to the IT group. I then delegated control over an OU from the Administrator account using Microsoft RSAT and gave the 'IT' group permissions to read/write all attributes, set passwords and create/delete user account objects. I then loaded RSAT as a 'IT User' and tried to create a user object and got the following error: http://i52.tinypic.com/zyfqkl.png  on both versions of Samba 4.0. I then went back and delegated "Full Control" over all objects to 'IT User' and was successfully able to add a user to that OU however that user had the ability to create any object in that OU (not something I want). Am I missing something or has this feature not been fine tuned just yet?

Thanks!