When you log in as a normal (AD) user, open the ADUC console, try to add a group entry to some user and confirm this, the console hangs. The last messages who are listed in the debug log: ldb_request BASE dn=<user-dn>,filter=(objectClass=*) ldb_request BASE dn=<group-dn>,filter=(objectClass=*) ldb: start ldb transaction (nesting: 0) ldb: objectclass_modify Then the connection is going to be closed (closed connection to service IPC$) with NT_STATUS_END_OF_FILE.
A normal user shouldn't be denied any modification in ADCU ? (apart from his personnal informations) It seems to me that at least a normal user is unable to create users (hopefully).
I personally think that this depends on #6466. So we've to fix the other bug first.
I can no longer (as of commit 9cf2d053cd255ee8c96bb25338b229e63d2d5182) reproduce this issue. I was looking into it about 24 hours ago, and had no problems reproducing the hang then. I now get an error message like "You do not have permission to modify the group smb4.internal.id10ts.net/Users/Domain Admins." if I attempt to add a user to the Domain Admins group (or any other group) when logged in as a non-admin user. The testing I did earlier when I could reproduce the issue included my work on the display specifiers additions, so the only changes to my working tree since then are commits e6cb98e53a25af5fba2dc579ff6a51653183eb70 through a9595976370251a445919a235901c9058bc683ff. I do not see anything in those changes that would indicate they were made to correct this issue. I'll leave it to others to see if they can reproduce the original issue, and close this bug if they cannot.
This fix 77e2403f1314a28722f0fb21f6682320b2e9935d fixed the hang, but the underlying bug is still present (and is the subject of my ldb-index branch)
This is fixed with my patchset.
Actually, I think this was fixed by the work tridge and I did to handle failures inside callbacks (8995491f59e7b6cee79b4249424e886f54f6b94d)