Rowland Penny
2023-Jan-22 16:55 UTC
[Samba] Delegation of control failure for any built-in Security Principals
On 22/01/2023 16:27, Sorin P. via samba wrote:> Hi Rowland. > The answers to your questions: > - Yes, it works fine with any other normal user (non-built in users), including the domain administrator user.A. I'm referring to Debian architecture like that, because that's exactly what's returned by? 'uname -m' -> aarch64B. I prefer to build by myself, in order to disable all the stuff which I know that I do not need for sure: printing support, avahi, dmapi, systemd support, clustering, glusterfs.I do not see why you bother, but each to their own.> Any ideas on how I can dig into this problem further?Stop trying to use 'SELF', Samba appears to have nothing to map it to. Here's my smb.conf:> [global] > ??????? allow dns updates = secure only > ??????? bind interfaces only = Yes > ??????? disable spoolss = Yes > ??????? interfaces = eth0 > ??????? ldap server require strong auth = Yes > ??????? netbios name = DC > ??????? ntlm auth = mschapv2-and-ntlmv2-only > ??????? printcap name = /dev/null > ??????? realm = DOMAIN.ORG > ??????? restrict anonymous = 2 > ??????? server min protocol = SMB3 > ??????? server role = active directory domain controller > ??????? tls cafile = tls/bundle_ca.crt > ??????? tls certfile = tls/dc.crt > ??????? tls enabled = Yes > ??????? tls keyfile = tls/dc.key > ??????? wins server = 10.1.1.4 > ??????? wins support = Yes > ??????? workgroup = DOMAIN > ??????? idmap_ldb:use rfc2307 = yes > ??????? comment = "Domain Controller for domain.org"Can I ask why you have set the 'wins server' parameter on something that doesn't use wins ? Especially when you have set 'server min protocol' to SMB3. Rowland
Sorin P.
2023-Jan-22 17:15 UTC
[Samba] Delegation of control failure for any built-in Security Principals
Hi Rowland.
What else can I use instead "SELF" then?
I'm trying to allow AD users to self-write sshPublicKeys attribute, which
I've already added to the schema.
Additionally, the same error appears when choosing "Everyone" instead
"SELF".
Not that I want to select "Everyone", but I expected to be able to
select it and not get an error.
The "wins server" entry is a leftover from some copy-pasted
configuration block found over the Internet, when I was trying to solve some old
problem which I don't remember about. I'll just remove it.
Thank you.
On Sunday, January 22, 2023 at 06:56:13 PM GMT+2, Rowland Penny via samba
<samba at lists.samba.org> wrote:
On 22/01/2023 16:27, Sorin P. via samba wrote:> Hi Rowland.
> The answers to your questions:
> - Yes, it works fine with any other normal user (non-built in users),
including the domain administrator user.A. I'm referring to Debian
architecture like that, because that's exactly what's returned by?
'uname -m' -> aarch64B. I prefer to build by myself, in order to
disable all the stuff which I know that I do not need for sure: printing
support, avahi, dmapi, systemd support, clustering, glusterfs.
I do not see why you bother, but each to their own.
> Any ideas on how I can dig into this problem further?
Stop trying to use 'SELF', Samba appears to have nothing to map it to.
Here's my smb.conf:> [global]
>? ??????? allow dns updates = secure only
>? ??????? bind interfaces only = Yes
>? ??????? disable spoolss = Yes
>? ??????? interfaces = eth0
>? ??????? ldap server require strong auth = Yes
>? ??????? netbios name = DC
>? ??????? ntlm auth = mschapv2-and-ntlmv2-only
>? ??????? printcap name = /dev/null
>? ??????? realm = DOMAIN.ORG
>? ??????? restrict anonymous = 2
>? ??????? server min protocol = SMB3
>? ??????? server role = active directory domain controller
>? ??????? tls cafile = tls/bundle_ca.crt
>? ??????? tls certfile = tls/dc.crt
>? ??????? tls enabled = Yes
>? ??????? tls keyfile = tls/dc.key
>? ??????? wins server = 10.1.1.4
>? ??????? wins support = Yes
>? ??????? workgroup = DOMAIN
>? ??????? idmap_ldb:use rfc2307 = yes
>? ??????? comment = "Domain Controller for domain.org"
Can I ask why you have set the 'wins server' parameter on something that
doesn't use wins ? Especially when you have set 'server min
protocol' to
SMB3.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba