Let's suppose we have the following OU: OU=Test,DC=Domain,DC=tld which grants create child right to group "Domain Users" but not to write. Any user can create an object in this OU, once created object can't be deleted by the user due to default ACL inheritance. Let's suppose that you then modify the ACL of the OU to grants to this group the right to write objects. On windows I'll have the right to delete or modify the object, on samba I don't.
Re-assigning to Metze.
I have some patches, which fix it for originating updates. https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=9b17dfc1e0515deb25 The patches need some cleanup and nTSecurityDescriptor recalculation on incoming replication is still missing. But the current passes autobuild, including some new tests (SdAutoInheritTests)
Created attachment 8257 [details] Patches for v4-0-test Depends on https://bugzilla.samba.org/attachment.cgi?id=8256
Comment on attachment 8257 [details] Patches for v4-0-test ACK
==> Karolin for 4.0
Pushed to autobuild-v4-0-test.
Pushed to v4-0-test. Closing out bug report. Thanks!