Samba4: Problems with delegation of privileges and deletion of accounts over LDAP interface

Lukasz Zalewski lukas at
Mon Apr 23 11:02:08 MDT 2012

On 20/04/12 13:03, Lukasz Zalewski wrote:
> Hi all,
> I'am writing a small python app that allows account management between
> S4 and our database backend (creation, modification and deletion of
> accounts) over the S4 ldap interface.
> The setup is as follows.
> 1) I have an unprivileged user foo
> 2) Using AD Users and Computers utility I have delegated Create, delete
> and manage user accounts to OU=Domain Users,DC... to foo
> 3) keytab is dumped and used for GSSAPI ldap bind
> With the above user, I can create new accounts fine, but when i try to
> delete them i get:
> ldap.INSUFFICIENT_ACCESS: {'info': 'dsdb_access: Access check failed on
> OU=Domain Users,DC=...', 'desc': 'Insufficient access'}
> I have run exactly the same scenario against AD (Win Srv 2008 R2 - 2008
> R2 functional level) the problem does not exist - the account is removed
> and no errors are present.
> Also (i have to confirm this though) when the delegation is performed on
> a particular OU and there are existing accounts there, they do not seem
> to inherit the delegated privileges - newly created accounts are ok in
> this respect.

I can confirm that objects present in the container that the delegation 
is performed on do not inherit newly delegated privileges.

On the AD the delegated privileges are propagated to the objects in that 

> The version of samba used is Version 4.0.0alpha19-GIT-e36622f
> What should i do to provide you with more debug information?
> Regards
> L

More information about the samba-technical mailing list