[Samba] [samba] AD, ACLs on LDAP objects not replicated?

mathias dufresne infractory at gmail.com
Tue Aug 30 13:44:16 UTC 2016

Hi all,

Playing with delegation today we delegated rights to some user on some OU
and its contents for it can modify users inside that OU and children.
We used "advanced view" in ADUC then "properties" on our delegated OU, then
"security" tab, and finally we gave rights to our user.

Perhaps this process is not correct but we believe it is a valid process to
delegate rights. Anyone to confirm or infirm?

Anyway, this process is good enough to get the delegation working... as
long as we work on the modified DC (FSMO owner).
As soon as we try same user modification using another DC, it hangs
(insufficient rights to blablabla -> rights are missing, this can be seen
using "security" tab).

I expect LDAP ACLs to be replicated across the domain.

Any idea what we could be missing?

PS: samba-tool drs showrepl do not show any error on any server.

More information about the samba mailing list