[Samba] Delegation of control failure for any built-in Security Principals

Rowland Penny rpenny at samba.org
Sun Jan 22 16:55:26 UTC 2023

On 22/01/2023 16:27, Sorin P. via samba wrote:
> Hi Rowland.
> The answers to your questions:
> - Yes, it works fine with any other normal user (non-built in users), including the domain administrator user.A. I'm referring to Debian architecture like that, because that's exactly what's returned by  'uname -m' -> aarch64B. I prefer to build by myself, in order to disable all the stuff which I know that I do not need for sure: printing support, avahi, dmapi, systemd support, clustering, glusterfs.

I do not see why you bother, but each to their own.

> Any ideas on how I can dig into this problem further?

Stop trying to use 'SELF', Samba appears to have nothing to map it to.

Here's my smb.conf:
> [global]
>          allow dns updates = secure only
>          bind interfaces only = Yes
>          disable spoolss = Yes
>          interfaces = eth0
>          ldap server require strong auth = Yes
>          netbios name = DC
>          ntlm auth = mschapv2-and-ntlmv2-only
>          printcap name = /dev/null
>          realm = DOMAIN.ORG
>          restrict anonymous = 2
>          server min protocol = SMB3
>          server role = active directory domain controller
>          tls cafile = tls/bundle_ca.crt
>          tls certfile = tls/dc.crt
>          tls enabled = Yes
>          tls keyfile = tls/dc.key
>          wins server =
>          wins support = Yes
>          workgroup = DOMAIN
>          idmap_ldb:use rfc2307 = yes
>          comment = "Domain Controller for domain.org"

Can I ask why you have set the 'wins server' parameter on something that 
doesn't use wins ? Especially when you have set 'server min protocol' to 


More information about the samba mailing list