Hi all, When a delegation of privileges to a particular OU is performed (using AD Users and Computers utility) operations such as deletion, result in: ldap.INSUFFICIENT_ACCESS: {'info': 'dsdb_access: Access check failed on OU=My target OU,DC=...', 'desc': 'Insufficient access'} Steps to reproduce: 1) Create a user account foo. 2) In AD Users and Computers, right click on OU=Domain Users (or any other container that contains users), select Delegate Control, select foo user and then from the common tasks list choose Create, delete and manage user accounts 3) Repeat the same procedure for groups container (OU=Domain Groups) and delegate Create, delete and manage groups Through LDAP interface, bound as foo user, new accounts can be created, but any attempts to delete them results in the above error message. Attributes can be modified, but any attempts to add a group member to a group results in the error message (the privileges for the foo user are delegated to both User and Group OU containers) Also, during the delegation the permissions do not apply to existing objects in the OU container (only to the newly created objects) I have compared S4 behaviour with that of Server 2008R2 (same functional level) and: 1) The add, modify and delete operations complete successfully and do not show any errors 2) Once the delegation is complete, the permissions are applied to existing and new objects in the give OU container Please let me know what other information you would like me to provide The experiments were conducted using 4.0.0alpha19-GIT-e36622f version Regards L
Yeah, delegation is a still unsupported feature. I'm reassigning to our ACL module maintainer.
Can you recheck with 4.0.0? We have fixed a lot of ACL bugs
I tried it with s4 final yesterday: The group I had delegated the permissions to, could edit most parts of the user. But when I open the "account" tab, I get an error ("Das angegebene Verzeichnisdienstattribut bzw. der angegebene Verzeichnisdienstwert ist bereits vorhanden". In english something like: "The directory service attribute or directory service value is already existing"). I also have a different bug report (https://bugzilla.samba.org/show_bug.cgi?id=9267) about delegating "join computers to domain": Since rc6 the delegation works - but only for XP, not for W7.
Hi Metze, I will test it over the Christmas break and report the results
Created attachment 8482 [details] All ACL patches from master My understanding from metze is that with the ACL patches from master, this issue is resolved. Attaching cherry-picked patches from master for consideration for 4.0.2.
Comment on attachment 8482 [details] All ACL patches from master Looks good
*** Bug 9267 has been marked as a duplicate of this bug. ***
Bug 9267 was marked as a duplicate of this one here. But the latest master version doesn't fix 9267.
Pushed to autobuild-v4-0-test.
Pushed to v4-0-test. Closing out bug report. Thanks!