Currently the update check only checks for a valid user, not if the user has permissions to actually create/modify a record.
should be fixed before 4.0 final.
Fixed by 319b239dc4aeb2c6a928a70fc7a7dbad56d273cd
Kai, I mislead you a little when I suggested this task is as simple as just checking the ACL. As I noticed when I started diving into the equivalent code in the bind9 dlz code, we need to actually impersonate the incoming user, or else we won't set owners correctly. This could then mean that a subsequent ACL check fails. Have a look over all the uses of 'session_info' in the dlz code, because we will need to do the same in your code. Then we really, really need tests. Perhaps added to smbtorture, what we need to do is create a record using libadds, then verify it's ownership and the expected ACL AD using LDAP calls. (The advantage of an smbtorture test here is that you can run it against AD, and against bind9_dlz to ensure the test is correct). Thanks, Andrew Bartlett
Should be fixed in RC1