Bug 8348 - Unable to delegate the creation of user/InetOrgPerson objects without giving full control over an OU
Summary: Unable to delegate the creation of user/InetOrgPerson objects without giving ...
Status: NEW
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Nadezhda Ivanova
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-04 01:49 UTC by Ted Salmon
Modified: 2011-09-12 17:50 UTC (History)
1 user (show)

See Also:


Attachments
The error message that I recieved from RSAT as described in the bug description (9.10 KB, image/png)
2011-08-04 01:49 UTC, Ted Salmon
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ted Salmon 2011-08-04 01:49:58 UTC
Created attachment 6752 [details]
The error message that I recieved from RSAT as described in the bug description

Tested with:
Samba 4.0.0alpha15-UNKNOWN in Ubuntu AMD64
Samba 4.0.0alpha17-GIT-3ce1894 in Slackware64 13.37

Background:

Both machines have their drives mounted with acl and user_xattr and have EXT4 partitions.

Issue:

I created a user named "IT User" and a group called "IT". I then created an OU and named it "UserOU". As the Administrator user I delegated control of the OU to create User Accounts, Read/Write Attributes to User Objects and require/set passwords to the "IT" group. I then started the RSAT as "IT User" and attempted to create a user but was presented with the error I have attached. The issue occurs for both User Objects and InetOrgPerson objects. In addition to not being able to create users, existing users in the OU cannot be edited by the "IT User". I then went back in to the delegate control wizard and said that I wanted to create a custom task to delegate, selected all objects and gave Full Control over such objects to the "IT" group. I was then able to create/modify any object in the container without fault. Of course this is not ideal as it is very unsecure. I was successfully able to delegate ONLY the ability to create user objects using a test Win2k3 DC. It should be noted that I have seen no issues with the delegation of any other objects, just the one's that require a password.

Thanks!
Comment 1 Matthias Dieter Wallnöfer 2011-09-12 17:50:15 UTC
Seems to be a problem in the security descriptor modules - assigning to the right maintainer.