[Samba] Samba4 & Delegation

Marc Muehlfeld samba at marc-muehlfeld.de
Mon May 6 13:23:52 MDT 2013

Hello Andreas,

Am 06.05.2013 20:38, schrieb Andreas Krupp:
> 1)      Even if I give this service account "Full Control" on (2) where the
> users are, it only works with newly created users (the rights do not get
> inherited and I have not come across a good post on how to do that)
> 2)      If I give rights to Read/Write the "memberOf" property, I have the
> same result - it simply does not work (I tried this by giving permissions on
> a single user and then trying to assign him to a group). Actually, even if I
> give "Full Control" on a single user, I cannot assign him one of my groups.
> Any hints of where or how I should approach this?

Have you seen the delegation wiki page?

The example 'join machines as non-domain-admin permissions', works great 
here. I think, you did the delegation on the same way, didn't you?

What version of Samba are you running on your DC and which version you 
did the provisioning? There were some ACL changes during the past 
version, because earlier versions don't set all permissions.

You can run 'samba-tool dbcheck --reset-well-known-acls --fix' to reset 
all ACLs on the directory to it's default. This fixed my ACL/delegation 
problems I had here. But: You loose all existing delegations and have to 
re-create them! One more note about the reset: Run it multiple times, 
until there are no complains about wrong ACLs any more. It maybe doesn't 
fix everything on the first run (Bug #9786).

Make a backup of your installation before you reset - just to be save :-)


More information about the samba mailing list