[Samba] Delegation of control failure for any built-in Security Principals

Sorin P. psleo2003 at yahoo.com
Sun Jan 22 17:15:06 UTC 2023

Hi Rowland.
What else can I use instead "SELF" then?
I'm trying to allow AD users to self-write sshPublicKeys attribute, which I've already added to the schema.
Additionally, the same error appears when choosing "Everyone" instead "SELF". 
Not that I want to select "Everyone", but I expected to be able to select it and not get an error.
The "wins server" entry is a leftover from some copy-pasted configuration block found over the Internet, when I was trying to solve some old problem which I don't remember about. I'll just remove it.
Thank you.

    On Sunday, January 22, 2023 at 06:56:13 PM GMT+2, Rowland Penny via samba <samba at lists.samba.org> wrote:  

On 22/01/2023 16:27, Sorin P. via samba wrote:
> Hi Rowland.
> The answers to your questions:
> - Yes, it works fine with any other normal user (non-built in users), including the domain administrator user.A. I'm referring to Debian architecture like that, because that's exactly what's returned by  'uname -m' -> aarch64B. I prefer to build by myself, in order to disable all the stuff which I know that I do not need for sure: printing support, avahi, dmapi, systemd support, clustering, glusterfs.

I do not see why you bother, but each to their own.

> Any ideas on how I can dig into this problem further?

Stop trying to use 'SELF', Samba appears to have nothing to map it to.

Here's my smb.conf:
> [global]
>          allow dns updates = secure only
>          bind interfaces only = Yes
>          disable spoolss = Yes
>          interfaces = eth0
>          ldap server require strong auth = Yes
>          netbios name = DC
>          ntlm auth = mschapv2-and-ntlmv2-only
>          printcap name = /dev/null
>          realm = DOMAIN.ORG
>          restrict anonymous = 2
>          server min protocol = SMB3
>          server role = active directory domain controller
>          tls cafile = tls/bundle_ca.crt
>          tls certfile = tls/dc.crt
>          tls enabled = Yes
>          tls keyfile = tls/dc.key
>          wins server =
>          wins support = Yes
>          workgroup = DOMAIN
>          idmap_ldb:use rfc2307 = yes
>          comment = "Domain Controller for domain.org"

Can I ask why you have set the 'wins server' parameter on something that 
doesn't use wins ? Especially when you have set 'server min protocol' to 


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list