samba - Aug 2016 - AD, ACLs on LDAP objects not replicated?

Hi all,

Playing with delegation today we delegated rights to some user on some OU
and its contents for it can modify users inside that OU and children.
We used "advanced view" in ADUC then "properties" on our
delegated OU, then
"security" tab, and finally we gave rights to our user.

Perhaps this process is not correct but we believe it is a valid process to
delegate rights. Anyone to confirm or infirm?

Anyway, this process is good enough to get the delegation working... as
long as we work on the modified DC (FSMO owner).
As soon as we try same user modification using another DC, it hangs
(insufficient rights to blablabla -> rights are missing, this can be seen
using "security" tab).

I expect LDAP ACLs to be replicated across the domain.

Any idea what we could be missing?

PS: samba-tool drs showrepl do not show any error on any server.

On 8/30/2016 9:44 AM, mathias dufresne via samba wrote:
> Hi all,
>
> Playing with delegation today we delegated rights to some user on some OU
> and its contents for it can modify users inside that OU and children.
> We used "advanced view" in ADUC then "properties" on
our delegated OU, then
> "security" tab, and finally we gave rights to our user.
>
> Perhaps this process is not correct but we believe it is a valid process to
> delegate rights. Anyone to confirm or infirm?
>
> Anyway, this process is good enough to get the delegation working... as
> long as we work on the modified DC (FSMO owner).
> As soon as we try same user modification using another DC, it hangs
> (insufficient rights to blablabla -> rights are missing, this can be
seen
> using "security" tab).
>
> I expect LDAP ACLs to be replicated across the domain.
>
> Any idea what we could be missing?
>
> PS: samba-tool drs showrepl do not show any error on any server.
This is exactly how I have done it in the past. However I have always 
used the same DC(fsmo owner) for all modifications. Never attempted from 
another DC because of how I am replicating sysvol(rsync).

I will attempt from another DC and report back.

-- 
-James

On 8/30/2016 9:44 AM, mathias dufresne via samba wrote:
> Hi all,
>
> Playing with delegation today we delegated rights to some user on some OU
> and its contents for it can modify users inside that OU and children.
> We used "advanced view" in ADUC then "properties" on
our delegated OU, then
> "security" tab, and finally we gave rights to our user.
>
> Perhaps this process is not correct but we believe it is a valid process to
> delegate rights. Anyone to confirm or infirm?
>
> Anyway, this process is good enough to get the delegation working... as
> long as we work on the modified DC (FSMO owner).
> As soon as we try same user modification using another DC, it hangs
> (insufficient rights to blablabla -> rights are missing, this can be
seen
> using "security" tab).
>
> I expect LDAP ACLs to be replicated across the domain.
>
> Any idea what we could be missing?
>
> PS: samba-tool drs showrepl do not show any error on any server.
It worked for me on the additional DC's. Went to security tab, add 
user/group, gave read,write, create all child objects, went to advanced 
view and set 'apply to: This object and all descendant objects'.

-- 
-James

Thank you for that test, really. So the process is correct, we'll dig to
solve that issue.

Thank you again lingpanda ;)

2016-08-30 16:57 GMT+02:00 lingpanda101 at gmail.com <lingpanda101 at
gmail.com>:
> On 8/30/2016 9:44 AM, mathias dufresne via samba wrote:
>
>> Hi all,
>>
>> Playing with delegation today we delegated rights to some user on some
OU
>> and its contents for it can modify users inside that OU and children.
>> We used "advanced view" in ADUC then "properties"
on our delegated OU,
>> then
>> "security" tab, and finally we gave rights to our user.
>>
>> Perhaps this process is not correct but we believe it is a valid
process
>> to
>> delegate rights. Anyone to confirm or infirm?
>>
>> Anyway, this process is good enough to get the delegation working... as
>> long as we work on the modified DC (FSMO owner).
>> As soon as we try same user modification using another DC, it hangs
>> (insufficient rights to blablabla -> rights are missing, this can be
seen
>> using "security" tab).
>>
>> I expect LDAP ACLs to be replicated across the domain.
>>
>> Any idea what we could be missing?
>>
>> PS: samba-tool drs showrepl do not show any error on any server.
>>
>
> It worked for me on the additional DC's. Went to security tab, add
> user/group, gave read,write, create all child objects, went to advanced
> view and set 'apply to: This object and all descendant objects'.
>
> --
> -James
>
>