Hi. There are some ldap acl issues in my recent test installation based on samba3upgrade. samba --version Version 4.0.0alpha20-GIT-b8dea7e 1. Default acls of w2k8r2 allow any user to add up to ten computers to the domain (objects with msds-creatorsid=usersid are counted). With default samba4 acls user can't do it until he becomes a member of any administrators group. Even membership in "account operators" group doesn't allow user to add computers to the domain (user can only re-add existent computer, he has no rights to cn=computers). To fix this I need to grant rights to "add/remove computer objects" in the cn=computers to "account operators". Next, if I grant permissions to add/remove computer to any other user (following http://support.microsoft.com/kb/932455) I get this when trying to join domain using this user (xp machine): --- The computer failed to join the domain. Please contact your domain administrator and indicate that the computer failed to update the dnshostname and/or servicePrincipalName (SPN) attritbute in its Active directory computer account. Once the problem is resolved, you may join the computer to the domain. --- Only granting full permissions to all objects (not computers only) inside cn=computers makes it work as it should. And also, after joining msds-creatorsid is not filled up. Short: a) only administrators can add computers to the domain; b) not sufficient "account operators" rights to "cn=computers"; c) joining domain needs too wide rights; d) msds-creatorsid attribute is not filled when adding computer record 2. Now about users: default s4 user objects permission inside cn=users doesn't allow to delegate rights to another users. Example: I delegated "password reset" permission to some user for users inside cn=users container via dsa delegation wizard. After this to actually make it work, I need to: a) reset acls to default for all users like this: dsacls "cn=someuser,cn=users,dc=telros,dc=ru" /resetdefaultdacl b) disable acl inheritance for all special user records (admins, special accounts) and set limited rights (for security reasons) Also, "Account operators" don't have rights on cn=users (I need to add rights to add/remove computers,users,inetorgpersons) 3. Default "account operators" permissions after samba3upgrade for some partitions are too wide (compared to w2k8r2 installation). I used attached cmd script to fix it (may be not all?). Thanks.
Created attachment 7458 [details] script fixing acls
the LDAP ACLs are set right at least in current Samba releases and with functional level 2008_R2. What's still unsupported from this bug report is the MS-DS-Machine-Account-Quota attribute in conjunction with the mS-DS-CreatorSID to allow normal users to create compuer accounts.