[Samba] Delegation of control failure for any built-in Security Principals
Sorin P.
psleo2003 at yahoo.com
Sun Jan 22 17:15:06 UTC 2023
Hi Rowland.
What else can I use instead "SELF" then?
I'm trying to allow AD users to self-write sshPublicKeys attribute, which I've already added to the schema.
Additionally, the same error appears when choosing "Everyone" instead "SELF".
Not that I want to select "Everyone", but I expected to be able to select it and not get an error.
The "wins server" entry is a leftover from some copy-pasted configuration block found over the Internet, when I was trying to solve some old problem which I don't remember about. I'll just remove it.
Thank you.
On Sunday, January 22, 2023 at 06:56:13 PM GMT+2, Rowland Penny via samba <samba at lists.samba.org> wrote:
On 22/01/2023 16:27, Sorin P. via samba wrote:
> Hi Rowland.
> The answers to your questions:
> - Yes, it works fine with any other normal user (non-built in users), including the domain administrator user.A. I'm referring to Debian architecture like that, because that's exactly what's returned by 'uname -m' -> aarch64B. I prefer to build by myself, in order to disable all the stuff which I know that I do not need for sure: printing support, avahi, dmapi, systemd support, clustering, glusterfs.
I do not see why you bother, but each to their own.
> Any ideas on how I can dig into this problem further?
Stop trying to use 'SELF', Samba appears to have nothing to map it to.
Here's my smb.conf:
> [global]
> allow dns updates = secure only
> bind interfaces only = Yes
> disable spoolss = Yes
> interfaces = eth0
> ldap server require strong auth = Yes
> netbios name = DC
> ntlm auth = mschapv2-and-ntlmv2-only
> printcap name = /dev/null
> realm = DOMAIN.ORG
> restrict anonymous = 2
> server min protocol = SMB3
> server role = active directory domain controller
> tls cafile = tls/bundle_ca.crt
> tls certfile = tls/dc.crt
> tls enabled = Yes
> tls keyfile = tls/dc.key
> wins server = 10.1.1.4
> wins support = Yes
> workgroup = DOMAIN
> idmap_ldb:use rfc2307 = yes
> comment = "Domain Controller for domain.org"
Can I ask why you have set the 'wins server' parameter on something that
doesn't use wins ? Especially when you have set 'server min protocol' to
SMB3.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list