[Samba] Samba4 & Delegation

Andreas Krupp andreaskrupp at akrupp.ch
Mon May 6 12:38:32 MDT 2013



Not sure if this is the right forum for this question, but since I am
running a Samba4 DC I thought I'd start here.


I have create a separate OU to manage Groups and Users for Applications:

1)      ou=myappX,ou=app,dc=mydomain,dc=home


All Users (and other groups, e.g. Domain Users) are obviously found in :

2)      cn=users,dc=mydomain,dc=home



So I created a service account that has "Full Control" on the separate OU
(1). And I am trying to give this service account the rights to add/remove
users and groups to my OU groups.

I seem to have 2 problems:


1)      Even if I give this service account "Full Control" on (2) where the
users are, it only works with newly created users (the rights do not get
inherited and I have not come across a good post on how to do that)

2)      If I give rights to Read/Write the "memberOf" property, I have the
same result - it simply does not work (I tried this by giving permissions on
a single user and then trying to assign him to a group). Actually, even if I
give "Full Control" on a single user, I cannot assign him one of my groups.


Any hints of where or how I should approach this?

Cheers & thx,



More information about the samba mailing list