Delegation of permissions

Andrew Bartlett abartlet at
Wed Oct 10 06:34:30 MDT 2012

On Wed, 2012-10-10 at 14:26 +0200, Marc Muehlfeld wrote:
> Hello,
> I wanted to ask, what the current state is of delegating permissions on 
> samba4. I tried delegating GPO editing, user/group management and allow to 
> bring computers into the domain. All seem not to work (or I do something wrong).
> I saw that samba-tool has a delegation option, but don't know how to use it. I 
> only tried it with ADUC.
> For adding computers to the domain I already opened a bugreport 
> ( with logfiles, etc.
> Should delegation already work? And if, for what parts of AD? If not, is it 
> planned for s4 final? I mean: Like many companies, we don't want everyone in 
> the helpdesk to know the domain admin password just for e. g. bringing a new 
> workstation into the domain. :-)

For joining to the domain at least:  Sadly no, I don't expect this to
change for the 4.0 release, but patches against master to implement this
are welcome (and perhaps if it's not invasive it might be backported). 

We need to work out exactly what is missing, add tests and finish the

The only thing that is expected to work are features implemented in
terms of pure NT ACLs and group memberships.  Those things (like adding
other users as a domain administrator or some other pre-defined group)
should work.


Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list