[Samba] [samba] AD, ACLs on LDAP objects not replicated?

lingpanda101 at gmail.com lingpanda101 at gmail.com
Tue Aug 30 14:57:34 UTC 2016

On 8/30/2016 9:44 AM, mathias dufresne via samba wrote:
> Hi all,
> Playing with delegation today we delegated rights to some user on some OU
> and its contents for it can modify users inside that OU and children.
> We used "advanced view" in ADUC then "properties" on our delegated OU, then
> "security" tab, and finally we gave rights to our user.
> Perhaps this process is not correct but we believe it is a valid process to
> delegate rights. Anyone to confirm or infirm?
> Anyway, this process is good enough to get the delegation working... as
> long as we work on the modified DC (FSMO owner).
> As soon as we try same user modification using another DC, it hangs
> (insufficient rights to blablabla -> rights are missing, this can be seen
> using "security" tab).
> I expect LDAP ACLs to be replicated across the domain.
> Any idea what we could be missing?
> PS: samba-tool drs showrepl do not show any error on any server.

It worked for me on the additional DC's. Went to security tab, add 
user/group, gave read,write, create all child objects, went to advanced 
view and set 'apply to: This object and all descendant objects'.


More information about the samba mailing list