Hello, Not sure if this is the right forum for this question, but since I am running a Samba4 DC I thought I'd start here. I have create a separate OU to manage Groups and Users for Applications: 1) ou=myappX,ou=app,dc=mydomain,dc=home All Users (and other groups, e.g. Domain Users) are obviously found in : 2) cn=users,dc=mydomain,dc=home So I created a service account that has "Full Control" on the separate OU (1). And I am trying to give this service account the rights to add/remove users and groups to my OU groups. I seem to have 2 problems: 1) Even if I give this service account "Full Control" on (2) where the users are, it only works with newly created users (the rights do not get inherited and I have not come across a good post on how to do that) 2) If I give rights to Read/Write the "memberOf" property, I have the same result - it simply does not work (I tried this by giving permissions on a single user and then trying to assign him to a group). Actually, even if I give "Full Control" on a single user, I cannot assign him one of my groups. Any hints of where or how I should approach this? Cheers & thx, Andreas
Hello Andreas, Am 06.05.2013 20:38, schrieb Andreas Krupp:> 1) Even if I give this service account "Full Control" on (2) where the > users are, it only works with newly created users (the rights do not get > inherited and I have not come across a good post on how to do that) > > 2) If I give rights to Read/Write the "memberOf" property, I have the > same result - it simply does not work (I tried this by giving permissions on > a single user and then trying to assign him to a group). Actually, even if I > give "Full Control" on a single user, I cannot assign him one of my groups. > > > > Any hints of where or how I should approach this?Have you seen the delegation wiki page? http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation The example 'join machines as non-domain-admin permissions', works great here. I think, you did the delegation on the same way, didn't you? What version of Samba are you running on your DC and which version you did the provisioning? There were some ACL changes during the past version, because earlier versions don't set all permissions. You can run 'samba-tool dbcheck --reset-well-known-acls --fix' to reset all ACLs on the directory to it's default. This fixed my ACL/delegation problems I had here. But: You loose all existing delegations and have to re-create them! One more note about the reset: Run it multiple times, until there are no complains about wrong ACLs any more. It maybe doesn't fix everything on the first run (Bug #9786). Make a backup of your installation before you reset - just to be save :-) Regards Marc
Hello Andreas, Am 08.05.2013 20:08, schrieb Andreas Krupp:> Thx a lot for the quick reply. > I will try to upgrade or possibly reinstall my Samba4 Instance. > At the moment the command returns me: 4.1.Opre1-GIT-5f2edd1 > I guess that is not really right version or the latest release. > I tried your command to reset the ACLs but that command is not part of my dbcheck. I tried and could not find your command in the list either. So I am starting to think that my problems maybe come from the entire version. > > I will set up a VM, reinstall centos + samba4 and see if that works better :)The '--reset-well-known-acls' option was introduced in 4.0.5 (this is the latest version). Maybe someone else on the list can say if you can switch from your git version to 4.0.5. Regards, Marc