samba - Apr 2014 - samba4 AD, allow users to modify (some of) their own attributesHi

Hi all,

In our openldap days, we allowed users to modify some of their own ldap 
records. They logged on with their own username/password, and were 
allowed to change stuff like 'roomNumber', jpegPhone',
'mobile', etc, etc.

It seems that samba4 AD handles permissions a bit stricter, and our 
users are no longer allowed to edit those details.

I have searched around a bit, and found this:
http://www.schakko.de/2011/03/30/how-to-give-users-the-permission-to-change-their-own-active-directory-attributesprofile/

Are there others ways to do this easier, for example with acl's like we 
had in openldap, or is the above link really the way to (attempt to) go 
in samba4?

MJ

On Sat, 2014-04-05 at 15:22 +0200, mourik jan heupink - merit
wrote:
> Hi all,
> 
> In our openldap days, we allowed users to modify some of their own ldap 
> records. They logged on with their own username/password, and were 
> allowed to change stuff like 'roomNumber', jpegPhone',
'mobile', etc, etc.
> 
> It seems that samba4 AD handles permissions a bit stricter, and our 
> users are no longer allowed to edit those details.
> 
> I have searched around a bit, and found this:
>
http://www.schakko.de/2011/03/30/how-to-give-users-the-permission-to-change-their-own-active-directory-attributesprofile/
> 
> Are there others ways to do this easier, for example with acl's like we
> had in openldap, or is the above link really the way to (attempt to) go 
> in samba4?
That looks correct, as we implement NT ACLs on the AD database. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba