Hello Andreas,
Am 06.05.2013 20:38, schrieb Andreas Krupp:
1) Even if I give this service account "Full Control" on (2) where the
users are, it only works with newly created users (the rights do not get
inherited and I have not come across a good post on how to do that)
2) If I give rights to Read/Write the "memberOf" property, I have the
same result - it simply does not work (I tried this by giving permissions on
a single user and then trying to assign him to a group). Actually, even if I
give "Full Control" on a single user, I cannot assign him one of my groups.
Any hints of where or how I should approach this?
Have you seen the delegation wiki page?
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation
The example 'join machines as non-domain-admin permissions', works great
here. I think, you did the delegation on the same way, didn't you?
What version of Samba are you running on your DC and which version you
did the provisioning? There were some ACL changes during the past
version, because earlier versions don't set all permissions.
You can run 'samba-tool dbcheck --reset-well-known-acls --fix' to reset
all ACLs on the directory to it's default. This fixed my ACL/delegation
problems I had here. But: You loose all existing delegations and have to
re-create them! One more note about the reset: Run it multiple times,
until there are no complains about wrong ACLs any more. It maybe doesn't
fix everything on the first run (Bug #9786).
Make a backup of your installation before you reset - just to be save :-)
Regards
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
