Samba4 do not handle well groups of groups. If a user U is member of group G1 which is itself member of group G2 and if permission are granted for member of group G2 then U will not be granted this permission. You can reproduce the problem with this method: create a user put him in Domain Admins group(CN=Domain Admins,CN=Users,DC=....) which is part of Administrators group (CN=Administrators,CN=Builtin,DC=....) and try to open ADCU. You will not be granted to add users, groups, or modify them. Now put this user directly in group Administrators and you will have the rights to do what ever you want in ADCU.
Good, this is the problem of nested groups. We aren't supporting this properly yet.
Any news on this ?
*** Bug 6552 has been marked as a duplicate of this bug. ***
Created attachment 4435 [details] Begin of a patch I began to write a patch which enrolls the "memberOf" attributes recursively. For now I have the problem that it doesn't work on my test system. It seems that the issue depends on the "talloc_realloc" function which doesn't seem to reallocate the memory properly. So after the second call, I get always a SEGFAULT on the line after it (*res_sids[*num_res_sids]=...).
Comment on attachment 4435 [details] Begin of a patch I think I don't add patches anymore here. Please look at the URL.
Fixed in master trough my patch.