Hi. There are some ldap acl issues in my recent test installation based on samba3upgrade.
1. Default acls of w2k8r2 allow any user to add up to ten computers to the domain (objects with msds-creatorsid=usersid are counted). With default samba4 acls user can't do it until he becomes a member of any administrators group. Even membership in "account operators" group doesn't allow user to add computers to the domain (user can only re-add existent computer, he has no rights to cn=computers). To fix this I need to grant rights to "add/remove computer objects" in the cn=computers to "account operators". Next, if I grant permissions to add/remove computer to any other user (following http://support.microsoft.com/kb/932455) I get this when trying to join domain using this user (xp machine):
The computer failed to join the domain. Please contact your domain
administrator and indicate that the computer failed to update the
dnshostname and/or servicePrincipalName (SPN) attritbute in its Active
directory computer account. Once the problem is resolved, you may join the
computer to the domain.
Only granting full permissions to all objects (not computers only) inside cn=computers makes it work as it should. And also, after joining msds-creatorsid is not filled up.
Short: a) only administrators can add computers to the domain; b) not sufficient "account operators" rights to "cn=computers"; c) joining domain needs too wide rights; d) msds-creatorsid attribute is not filled when adding computer record
2. Now about users: default s4 user objects permission inside cn=users doesn't allow to delegate rights to another users. Example: I delegated "password reset" permission to some user for users inside cn=users container via dsa delegation wizard. After this to actually make it work, I need to:
a) reset acls to default for all users like this:
dsacls "cn=someuser,cn=users,dc=telros,dc=ru" /resetdefaultdacl
b) disable acl inheritance for all special user records (admins, special accounts) and set limited rights (for security reasons)
Also, "Account operators" don't have rights on cn=users (I need to add rights to add/remove computers,users,inetorgpersons)
3. Default "account operators" permissions after samba3upgrade for some partitions are too wide (compared to w2k8r2 installation). I used attached cmd script to fix it (may be not all?).
Created attachment 7458 [details]
script fixing acls
the LDAP ACLs are set right at least in current Samba releases and with functional level 2008_R2.
What's still unsupported from this bug report is the MS-DS-Machine-Account-Quota attribute in conjunction with the mS-DS-CreatorSID to allow normal users to create compuer accounts.