[Samba] [samba] AD, ACLs on LDAP objects not replicated?

lingpanda101 at gmail.com lingpanda101 at gmail.com
Tue Aug 30 14:21:20 UTC 2016

On 8/30/2016 9:44 AM, mathias dufresne via samba wrote:
> Hi all,
> Playing with delegation today we delegated rights to some user on some OU
> and its contents for it can modify users inside that OU and children.
> We used "advanced view" in ADUC then "properties" on our delegated OU, then
> "security" tab, and finally we gave rights to our user.
> Perhaps this process is not correct but we believe it is a valid process to
> delegate rights. Anyone to confirm or infirm?
> Anyway, this process is good enough to get the delegation working... as
> long as we work on the modified DC (FSMO owner).
> As soon as we try same user modification using another DC, it hangs
> (insufficient rights to blablabla -> rights are missing, this can be seen
> using "security" tab).
> I expect LDAP ACLs to be replicated across the domain.
> Any idea what we could be missing?
> PS: samba-tool drs showrepl do not show any error on any server.

This is exactly how I have done it in the past. However I have always 
used the same DC(fsmo owner) for all modifications. Never attempted from 
another DC because of how I am replicating sysvol(rsync).

I will attempt from another DC and report back.


More information about the samba mailing list