Bug 8909 - ACL problem with delegation of privileges and deletion of accounts over LDAP interface
Summary: ACL problem with delegation of privileges and deletion of accounts over LDAP ...
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: samba4-qa@samba.org
Depends on:
Blocks: 9306
  Show dependency treegraph
Reported: 2012-04-30 14:47 UTC by Lukasz Zalewski
Modified: 2013-01-28 19:03 UTC (History)
2 users (show)

See Also:

All ACL patches from master (124.57 KB, patch)
2013-01-25 02:48 UTC, Andrew Bartlett
metze: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Lukasz Zalewski 2012-04-30 14:47:24 UTC
Hi all,
When a delegation of privileges to a particular OU is performed (using AD Users and Computers utility) operations such as deletion, result in:

ldap.INSUFFICIENT_ACCESS: {'info': 'dsdb_access: Access check failed on OU=My target OU,DC=...', 'desc': 'Insufficient access'} 

Steps to reproduce:
1) Create a user account foo.
2) In AD Users and Computers, right click on OU=Domain Users (or any other container that contains users), select Delegate Control, select foo user and then from the common tasks list choose Create, delete and manage user accounts
3) Repeat the same procedure for groups container (OU=Domain Groups) and delegate Create, delete and manage groups

Through LDAP interface, bound as foo user, new accounts can be created, but any attempts to delete them results in the above error message.

Attributes can be modified, but any attempts to add a group member to a group results in the error message (the privileges for the foo user are delegated to both User and Group OU containers)

Also, during the delegation the permissions do not apply to existing objects in the OU container (only to the newly created objects)

I have compared S4 behaviour with that of Server 2008R2 (same functional level) and:
1) The add, modify and delete operations complete successfully and do not show any errors
2) Once the delegation is complete, the permissions are applied to existing and new objects in the give OU container

Please let me know what other information you would like me to provide

The experiments were conducted using 4.0.0alpha19-GIT-e36622f version


Comment 1 Matthias Dieter Wallnöfer 2012-04-30 15:03:33 UTC
Yeah, delegation is a still unsupported feature. I'm reassigning to our ACL module maintainer.
Comment 2 Stefan Metzmacher 2012-12-14 10:44:10 UTC
Can you recheck with 4.0.0? We have fixed a lot of ACL bugs
Comment 3 Marc Muehlfeld 2012-12-14 10:58:38 UTC
I tried it with s4 final yesterday: The group I had delegated the permissions to, could edit most parts of the user. But when I open the "account" tab, I get an error ("Das angegebene Verzeichnisdienstattribut bzw. der angegebene Verzeichnisdienstwert ist bereits vorhanden". In english something like: "The directory service attribute or directory service value is already existing").

I also have a different bug report (https://bugzilla.samba.org/show_bug.cgi?id=9267) about delegating "join computers to domain": Since rc6 the delegation works - but only for XP, not for W7.
Comment 4 Lukasz Zalewski 2012-12-14 17:26:30 UTC
Hi Metze,
I will test it over the Christmas break and report the results
Comment 5 Andrew Bartlett 2013-01-25 02:48:18 UTC
Created attachment 8482 [details]
All ACL patches from master

My understanding from metze is that with the ACL patches from master, this issue is resolved.

Attaching cherry-picked patches from master for consideration for 4.0.2.
Comment 6 Stefan Metzmacher 2013-01-25 08:04:02 UTC
Comment on attachment 8482 [details]
All ACL patches from master

Looks good
Comment 7 Stefan Metzmacher 2013-01-27 14:36:02 UTC
*** Bug 9267 has been marked as a duplicate of this bug. ***
Comment 8 Marc Muehlfeld 2013-01-28 09:29:45 UTC
Bug 9267 was marked as a duplicate of this one here. But the latest master version doesn't fix 9267.
Comment 9 Karolin Seeger 2013-01-28 10:12:15 UTC
Pushed to autobuild-v4-0-test.
Comment 10 Karolin Seeger 2013-01-28 19:03:01 UTC
Pushed to v4-0-test.
Closing out bug report.