Bug 8868 - MS-DS-Machine-Account-Quota to allow normal users to join machine unsupported
Summary: MS-DS-Machine-Account-Quota to allow normal users to join machine unsupported
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: 4.13
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2012-04-17 07:45 UTC by Sergey Urushkin
Modified: 2020-06-23 16:31 UTC (History)
1 user (show)

See Also:

script fixing acls (1.37 KB, text/plain)
2012-04-17 07:49 UTC, Sergey Urushkin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sergey Urushkin 2012-04-17 07:45:19 UTC
Hi. There are some ldap acl issues in my recent test installation based on samba3upgrade.

samba --version
Version 4.0.0alpha20-GIT-b8dea7e

1. Default acls of w2k8r2 allow any user to add up to ten computers to the domain (objects with msds-creatorsid=usersid are counted). With default samba4 acls user can't do it until he becomes a member of any administrators group. Even membership in "account operators" group doesn't allow user to add computers to the domain (user can only re-add existent computer, he has no rights to cn=computers). To fix this I need to grant rights to "add/remove computer objects" in the cn=computers to "account operators". Next, if I grant permissions to add/remove computer to any other user (following http://support.microsoft.com/kb/932455) I get this when trying to join domain using this user (xp machine):


The computer failed to join the domain. Please contact your domain
administrator and indicate that the computer failed to update the
dnshostname and/or servicePrincipalName (SPN) attritbute in its Active
directory computer account. Once the problem is resolved, you may join the
computer to the domain.


Only granting full permissions to all objects (not computers only) inside cn=computers makes it work as it should. And also, after joining msds-creatorsid is not filled up.

Short: a) only administrators can add computers to the domain; b) not sufficient "account operators" rights to "cn=computers"; c) joining domain needs too wide rights; d) msds-creatorsid attribute is not filled when adding computer record

2. Now about users: default s4 user objects permission inside cn=users doesn't allow to delegate rights to another users. Example: I delegated "password reset" permission to some user for users inside cn=users container via dsa delegation wizard. After this to actually make it work, I need to:
  a) reset acls to default for all users like this:
    dsacls "cn=someuser,cn=users,dc=telros,dc=ru" /resetdefaultdacl
  b) disable acl inheritance for all special user records (admins, special accounts) and set limited rights (for security reasons)

Also, "Account operators" don't have rights on cn=users (I need to add rights to add/remove computers,users,inetorgpersons)

3. Default "account operators" permissions after samba3upgrade for some partitions are too wide (compared to w2k8r2 installation). I used attached cmd script to fix it (may be not all?).

Comment 1 Sergey Urushkin 2012-04-17 07:49:08 UTC
Created attachment 7458 [details]
script fixing acls
Comment 2 Björn Jacke 2020-06-23 16:29:49 UTC
the LDAP ACLs are set right at least in current Samba releases and with functional level 2008_R2.

What's still unsupported from this bug report is the MS-DS-Machine-Account-Quota attribute in conjunction with the mS-DS-CreatorSID to allow normal users to create compuer accounts.