[Samba] Delegation of control failure for any built-in Security Principals

Rowland Penny rpenny at samba.org
Sun Jan 22 17:31:21 UTC 2023

On 22/01/2023 17:15, Sorin P. wrote:
> Hi Rowland.
> What else can I use instead "SELF" then?
> I'm trying to allow AD users to self-write sshPublicKeys attribute, 
> which I've already added to the schema.

you do realise that properly setup, SSH will work with kerberos, without 
keys or passwords.

> Additionally, the same error appears when choosing "Everyone" instead 
> "SELF".

These Well Know SIDs do not have anything to map them to. If you must 
use keys, then surely the attribute is part of the uses AD object and as 
such should be owned by the user, who should have write permission.

As I said (in a round about way), I use kerberos instead of keys.


More information about the samba mailing list