Samba4: Problems with delegation of privileges and deletion of accounts over LDAP interface

Lukasz Zalewski lukas at
Fri Apr 20 06:03:48 MDT 2012

Hi all,
I'am writing a small python app that allows account management between 
S4 and our database backend (creation, modification and deletion of 
accounts) over the S4 ldap interface.
The setup is as follows.
1) I have an unprivileged user foo
2) Using AD Users and Computers utility I have delegated Create, delete 
and manage user accounts to OU=Domain Users,DC... to foo
3) keytab is dumped and used for GSSAPI ldap bind

With the above user, I can create new accounts fine, but when i try to 
delete them i get:
ldap.INSUFFICIENT_ACCESS: {'info': 'dsdb_access: Access check failed on 
OU=Domain Users,DC=...', 'desc': 'Insufficient access'}

I have run exactly the same scenario against AD (Win Srv 2008 R2 - 2008 
R2 functional level) the problem does not exist - the account is removed 
and no errors are present.

Also (i have to confirm this though) when the delegation is performed on 
a particular OU and there are existing accounts there, they do not seem 
to inherit the delegated privileges - newly created accounts are ok in 
this respect.

The version of samba used is Version 4.0.0alpha19-GIT-e36622f

What should i do to provide you with more debug information?



More information about the samba-technical mailing list