Bug 8868 - Ldap acl issues after installation based on samba3upgrade
Ldap acl issues after installation based on samba3upgrade
Status: NEW
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
unspecified
x64 Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
samba4-qa@samba.org
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-17 07:45 UTC by Sergey Urushkin
Modified: 2012-11-07 19:22 UTC (History)
1 user (show)

See Also:


Attachments
script fixing acls (1.37 KB, text/plain)
2012-04-17 07:49 UTC, Sergey Urushkin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sergey Urushkin 2012-04-17 07:45:19 UTC
Hi. There are some ldap acl issues in my recent test installation based on samba3upgrade.

samba --version
Version 4.0.0alpha20-GIT-b8dea7e

1. Default acls of w2k8r2 allow any user to add up to ten computers to the domain (objects with msds-creatorsid=usersid are counted). With default samba4 acls user can't do it until he becomes a member of any administrators group. Even membership in "account operators" group doesn't allow user to add computers to the domain (user can only re-add existent computer, he has no rights to cn=computers). To fix this I need to grant rights to "add/remove computer objects" in the cn=computers to "account operators". Next, if I grant permissions to add/remove computer to any other user (following http://support.microsoft.com/kb/932455) I get this when trying to join domain using this user (xp machine):

---

The computer failed to join the domain. Please contact your domain
administrator and indicate that the computer failed to update the
dnshostname and/or servicePrincipalName (SPN) attritbute in its Active
directory computer account. Once the problem is resolved, you may join the
computer to the domain.

---

Only granting full permissions to all objects (not computers only) inside cn=computers makes it work as it should. And also, after joining msds-creatorsid is not filled up.

Short: a) only administrators can add computers to the domain; b) not sufficient "account operators" rights to "cn=computers"; c) joining domain needs too wide rights; d) msds-creatorsid attribute is not filled when adding computer record

2. Now about users: default s4 user objects permission inside cn=users doesn't allow to delegate rights to another users. Example: I delegated "password reset" permission to some user for users inside cn=users container via dsa delegation wizard. After this to actually make it work, I need to:
  a) reset acls to default for all users like this:
    dsacls "cn=someuser,cn=users,dc=telros,dc=ru" /resetdefaultdacl
  b) disable acl inheritance for all special user records (admins, special accounts) and set limited rights (for security reasons)

Also, "Account operators" don't have rights on cn=users (I need to add rights to add/remove computers,users,inetorgpersons)

3. Default "account operators" permissions after samba3upgrade for some partitions are too wide (compared to w2k8r2 installation). I used attached cmd script to fix it (may be not all?).

Thanks.
Comment 1 Sergey Urushkin 2012-04-17 07:49:08 UTC
Created attachment 7458 [details]
script fixing acls