Bug 15292 - Delegation of control failure for any built-in Security Principals
Summary: Delegation of control failure for any built-in Security Principals
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.17.4
Hardware: All Linux
: P5 regression (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2023-01-24 12:43 UTC by Sorin
Modified: 2023-01-24 12:43 UTC (History)
0 users

See Also:

smb.conf file (999 bytes, text/plain)
2023-01-24 12:43 UTC, Sorin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sorin 2023-01-24 12:43:51 UTC
Created attachment 17742 [details]
smb.conf file

Hi team.

I am trying to allocate some rights to users in Active Directory, by using the "Delegation of Control" Wizard from ADUC.

The steps I followed were executed under the domain administrator user, and are the following:

1. open ADUC and right click the top level OU (Ex. domain.org)
2. from the pop-up menu, select “Delegate Control…”
3. click next in the first page of the wizard (which is the "Welcome" page)
4. on the next page "Users or Groups", select the “Add” button, and type ‘SELF’ then press the ‘Check Names’ button.
5. I'm getting an error window with the following message:
    "Windows cannot process the object with the name "SELF" because of the following error:
    Name translation: Input name found, but not the associated output format.
After the error, I am unable to continue with the wizard to delegate tasks. The same error appears if I try to select any other of the built in security principals like: Everyone or SYSTEM, etc

The logs show nothing suspicious (while running with log level 10).
The only log entry which I've found and looked strange to me was this one:
    gendb_search_v: CN=Self,CN=WellKnown Security Principals,CN=Configuration,DC=domain,DC=org NULL -> 1

The platform I'm using:
  Software:      Samba Version 4.17.4 (built from source)
  OS:            Debian GNU/Linux 11 (bullseye)
  Architecture:  aarch64
  Kernel:        5.15.84-v8+

Additional information:
 - the domain controller which is experiencing this issue was provisioned with Samba v4.17
 - on another domain controller, which was provisioned with an older Samba version v4.14, or v4.13 (can't say 100% sure which of these two), this problem did not exist, and the "Delegation of control" wizard allowed selection of "SELF" or any other of the built in security principals.

I am opening this bug as a follow up on the discussion (with the same name/subject) that was initiated on the Samba Mailing list.

Thank you.