Samba4: Problems with delegation of privileges and deletion of accounts over LDAP interface
Lukasz Zalewski
lukas at eecs.qmul.ac.uk
Fri Apr 20 06:03:48 MDT 2012
Hi all,
I'am writing a small python app that allows account management between
S4 and our database backend (creation, modification and deletion of
accounts) over the S4 ldap interface.
The setup is as follows.
1) I have an unprivileged user foo
2) Using AD Users and Computers utility I have delegated Create, delete
and manage user accounts to OU=Domain Users,DC... to foo
3) keytab is dumped and used for GSSAPI ldap bind
With the above user, I can create new accounts fine, but when i try to
delete them i get:
ldap.INSUFFICIENT_ACCESS: {'info': 'dsdb_access: Access check failed on
OU=Domain Users,DC=...', 'desc': 'Insufficient access'}
I have run exactly the same scenario against AD (Win Srv 2008 R2 - 2008
R2 functional level) the problem does not exist - the account is removed
and no errors are present.
Also (i have to confirm this though) when the delegation is performed on
a particular OU and there are existing accounts there, they do not seem
to inherit the delegated privileges - newly created accounts are ok in
this respect.
The version of samba used is Version 4.0.0alpha19-GIT-e36622f
What should i do to provide you with more debug information?
Regards
L
More information about the samba-technical
mailing list