[Samba] Samba4 & Delegation
Andreas Krupp
andreaskrupp at akrupp.ch
Thu Aug 15 06:00:10 MDT 2013
Hi Marc,
I will give this another try with the options you have mentioned - however,
the same behavior is also present on a Microsoft Windows 2008 R2 Domain
Server with the AD at 2008 R2 compatibility level.
So for the moment, I have the impression that even Microsoft does not
encourage ownership and delegation of security group management in a simple
manner.
I will keep you posted - and well, I installed a "production" version for my
home network and doing "Proof-of-Concepts" in a complete enterprise domain
environment. The stable releases work fine for the moment ;-)
Cheers & best!
Andreas
-----Original Message-----
Sent: jeudi 15 août 2013 11:34
Subject: Re: [Samba] Samba4 & Delegation
Hello Andreas,
Am 15.08.2013 11:07, schrieb Andreas Krupp:
> For information, what I was trying to do was:
> - Create an OU for a group of applications
> - Delegate control of this OU to a normal user (not helpdesk or domain
> admin) to be able to create groups and assign domain users to them
- What where the exact steps you did?
- On what Samba version?
- Did you run 'samba-tool dbcheck --reset-well-known-acls --fix' to reset
the ACLs? This is recommented for 4.0.5 and higher, if you provisioned your
domain with an earlier version to fix missing ACLs. (If you haven't done
yet, remember, that you'll loose your current delegations!)
> The problem was, whenever I used "Security Groups" the delegation did
> not work. Impossible for the user to whom I delegated group creation
> and modifaction rights of the ou to add or remove domain users.
>
> The work-around (since Security Groups are all to picky) --> Use
> "Distribution Groups".
> Once I created distribution groups in the OU I was able to freely
> assing users to them and remove them as required.
> Now this is definetly not best pratice, but until the same is possible
> in an easy way with Security Groups this will well serve the purpose.
If it's reproducable, you should open a bug report with the exact steps and
a level 10 debug log, to get this fixed in future.
> PS: Marc thx a lot for your help before - since I read a bit more about
> GIT, I know understand much better the Samba4 building howto and how to
> get the latest stable version. It's all good now ;-)
If you are using versions from git, remember, that they can contain code
that shouldn't be used for production yet.
Regards,
Marc
More information about the samba
mailing list