The Samba-Bugzilla – Bug 8348
Unable to delegate the creation of user/InetOrgPerson objects without giving full control over an OU
Last modified: 2011-09-12 17:50:15 UTC
Created attachment 6752 [details]
The error message that I recieved from RSAT as described in the bug description
Samba 4.0.0alpha15-UNKNOWN in Ubuntu AMD64
Samba 4.0.0alpha17-GIT-3ce1894 in Slackware64 13.37
Both machines have their drives mounted with acl and user_xattr and have EXT4 partitions.
I created a user named "IT User" and a group called "IT". I then created an OU and named it "UserOU". As the Administrator user I delegated control of the OU to create User Accounts, Read/Write Attributes to User Objects and require/set passwords to the "IT" group. I then started the RSAT as "IT User" and attempted to create a user but was presented with the error I have attached. The issue occurs for both User Objects and InetOrgPerson objects. In addition to not being able to create users, existing users in the OU cannot be edited by the "IT User". I then went back in to the delegate control wizard and said that I wanted to create a custom task to delegate, selected all objects and gave Full Control over such objects to the "IT" group. I was then able to create/modify any object in the container without fault. Of course this is not ideal as it is very unsecure. I was successfully able to delegate ONLY the ability to create user objects using a test Win2k3 DC. It should be noted that I have seen no issues with the delegation of any other objects, just the one's that require a password.
Seems to be a problem in the security descriptor modules - assigning to the right maintainer.