[Samba] Delegation of control failure for any built-in Security Principals

[Rowland Penny]

On 22/01/2023 13:31, Sorin P. via samba wrote:
> Hi team.
> 
> I am trying to allocate some rights to users in Active Directory, by using the "Delegation of Control Wizard" from ADUC.
> The steps I'm following were executed under the domain administrator user and are the following:
> 
> 1. open ADUC and right click the top level OU (Ex. domain.org)
> 2. from the pop-up menu, select “Delegate Control…”
> 3. click next in the first page of the wizard (which is the "Welcome" page)
> 4. on the next page "Users or Groups", select the “Add” button, and type ‘SELF’ then ‘Check Names’.
> 5. I'm getting an error window with the following message:
>      "Windows cannot process the object with the name "SELF" because of the following error:
>      Name translation: Input name found, but not the associated output format.


I think that means that the user 'SELF' cannot be mapped, does it work 
with a domain user ?

>      
> After the error, I am unable to continue with the wizard to delegate tasks.The same error appears if I try to select any other built in security principals like: Everyone or SYSTEM, etc
> The logs show nothing suspicious (with log level 10).
> The only log entry which I've found and looked strange to me was this one:
>      gendb_search_v: CN=Self,CN=WellKnown Security Principals,CN=Configuration,DC=domain,DC=org NULL -> 1

I think that means the same, the DN is valid, but the user is unknown on 
Linux.

> 
> Any ideas on what might be wrong?
> 
> The platform I'm using:
>    Software:      Samba Version 4.17.4 (built from source)
>    OS:               Debian GNU/Linux 11 (bullseye)
>    Architecture:     aarch64

Can I ask why you are:
A) referring to aarch64 on Debian, when they call it arm64 ?
B) compiling Samba yourself when 4.17.4 is available from bullseye 
backports ?

Nothing to do with your problem, just interested.

Rowland