[Samba] Samba 4.1 DC Account Operators permissions problem
joneill at une.edu.au
Fri Aug 1 20:12:44 MDT 2014
There appears to be a bug in the samba 4.1 DC builtin group Account Operators permisssions.
By definition, members of the Account Operators group can add, edit, and delete normal user accounts in the domain, except those for domain user accounts who are members of domain Account Operators, Administrators, Backup Operators, Print Operators Server Operators, and Domain Admins. This account is very useful for delegating some authority to selected users so that they can create and manage user accounts without having access to the administration groups.
In our samba 4.1 domain, a freshly created domain user account that has membership only to Domain Users and Account Operators groups actually then has full permissions to modify (and add to) the Administrators and Domain Admins groups. This is not expected behavior!
I have verified this behavior on our working domain with samba 4.1.10 DCs. Also I set up a simple test domain with a samba 4.1.6 DC and it also displays the incorrect behavior above.
Can anyone suggest a fix for this problem?
School of Environmental and Rural Science
Faculty of Arts and Sciences
University of New England
Armidale NSW 2351 Australia
Email:joneill at une.edu.au
Fax: 02 6773 2769
More information about the samba