[Samba] Samba4 & Delegation

Marc Muehlfeld samba at marc-muehlfeld.de
Thu Aug 15 03:34:24 MDT 2013

Hello Andreas,

Am 15.08.2013 11:07, schrieb Andreas Krupp:
> For information, what I was trying to do was:
> - Create an OU for a group of applications
> - Delegate control of this OU to a normal user (not helpdesk or domain
> admin) to be able to create groups and assign domain users to them

- What where the exact steps you did?
- On what Samba version?
- Did you run 'samba-tool dbcheck --reset-well-known-acls --fix' to 
reset the ACLs? This is recommented for 4.0.5 and higher, if you 
provisioned your domain with an earlier version to fix missing ACLs. (If 
you haven't done yet, remember, that you'll loose your current delegations!)

> The problem was, whenever I used "Security Groups" the delegation did
> not work. Impossible for the user to whom I delegated group creation and
> modifaction rights of the ou to add or remove domain users.
> The work-around (since Security Groups are all to picky) --> Use
> "Distribution Groups".
> Once I created distribution groups in the OU I was able to freely assing
> users to them and remove them as required.
> Now this is definetly not best pratice, but until the same is possible
> in an easy way with Security Groups this will well serve the purpose.

If it's reproducable, you should open a bug report with the exact steps 
and a level 10 debug log, to get this fixed in future.

> PS: Marc thx a lot for your help before - since I read a bit more about
> GIT, I know understand much better the Samba4 building howto and how to
> get the latest stable version. It's all good now ;-)

If you are using versions from git, remember, that they can contain code 
that shouldn't be used for production yet.


More information about the samba mailing list