Users with SeMachineAccountPrivilege right are able to change users and groups accounts Using samba-3.3.4-0.1.146 on PPC SLES10.
Can you please upload your smb.conf together with a debug level 10 log of smbd doing an operation that it should have denied? Thanks, Volker
Volker, I remember that we worked (hopefully fixed) exactly this during the samr cleanup for 3.4.
Ok, you're the boss here :-) Volker
Do you have a chance to use a recent 3.4 release ? There have been quite some fixes in the area of these access checks that should resolve your issue. There won't be a new 3.3.x release as this is a discontinued series, so no backports for these access checks are available right now.
I've upgraded to 3.5.1 and will look into this.