Re: [Samba] Samba4 & Delegation
Hi Marc, I will give this another try with the options you have mentioned - however, the same behavior is also present on a Microsoft Windows 2008 R2 Domain Server with the AD at 2008 R2 compatibility level. So for the moment, I have the impression that even Microsoft does not encourage ownership and delegation of security group management in a simple manner. I will keep you posted - and well, I installed a "production" version for my home network and doing "Proof-of-Concepts" in a complete enterprise domain environment. The stable releases work fine for the moment ;-) Cheers & best! Andreas -Original Message- Sent: jeudi 15 août 2013 11:34 Subject: Re: [Samba] Samba4 & Delegation Hello Andreas, Am 15.08.2013 11:07, schrieb Andreas Krupp: > For information, what I was trying to do was: > - Create an OU for a group of applications > - Delegate control of this OU to a normal user (not helpdesk or domain > admin) to be able to create groups and assign domain users to them - What where the exact steps you did? - On what Samba version? - Did you run 'samba-tool dbcheck --reset-well-known-acls --fix' to reset the ACLs? This is recommented for 4.0.5 and higher, if you provisioned your domain with an earlier version to fix missing ACLs. (If you haven't done yet, remember, that you'll loose your current delegations!) > The problem was, whenever I used "Security Groups" the delegation did > not work. Impossible for the user to whom I delegated group creation > and modifaction rights of the ou to add or remove domain users. > > The work-around (since Security Groups are all to picky) --> Use > "Distribution Groups". > Once I created distribution groups in the OU I was able to freely > assing users to them and remove them as required. > Now this is definetly not best pratice, but until the same is possible > in an easy way with Security Groups this will well serve the purpose. If it's reproducable, you should open a bug report with the exact steps and a level 10 debug log, to get this fixed in future. > PS: Marc thx a lot for your help before - since I read a bit more about > GIT, I know understand much better the Samba4 building howto and how to > get the latest stable version. It's all good now ;-) If you are using versions from git, remember, that they can contain code that shouldn't be used for production yet. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 & Delegation
Hello Andreas, Am 15.08.2013 11:07, schrieb Andreas Krupp: For information, what I was trying to do was: - Create an OU for a group of applications - Delegate control of this OU to a normal user (not helpdesk or domain admin) to be able to create groups and assign domain users to them - What where the exact steps you did? - On what Samba version? - Did you run 'samba-tool dbcheck --reset-well-known-acls --fix' to reset the ACLs? This is recommented for 4.0.5 and higher, if you provisioned your domain with an earlier version to fix missing ACLs. (If you haven't done yet, remember, that you'll loose your current delegations!) The problem was, whenever I used "Security Groups" the delegation did not work. Impossible for the user to whom I delegated group creation and modifaction rights of the ou to add or remove domain users. The work-around (since Security Groups are all to picky) --> Use "Distribution Groups". Once I created distribution groups in the OU I was able to freely assing users to them and remove them as required. Now this is definetly not best pratice, but until the same is possible in an easy way with Security Groups this will well serve the purpose. If it's reproducable, you should open a bug report with the exact steps and a level 10 debug log, to get this fixed in future. PS: Marc thx a lot for your help before - since I read a bit more about GIT, I know understand much better the Samba4 building howto and how to get the latest stable version. It's all good now ;-) If you are using versions from git, remember, that they can contain code that shouldn't be used for production yet. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 & Delegation
Hi, It has been a while that I did not come back to this topic, however I think I found a work-around for my initial problem. For information, what I was trying to do was: - Create an OU for a group of applications - Delegate control of this OU to a normal user (not helpdesk or domain admin) to be able to create groups and assign domain users to them The problem was, whenever I used "Security Groups" the delegation did not work. Impossible for the user to whom I delegated group creation and modifaction rights of the ou to add or remove domain users. The work-around (since Security Groups are all to picky) --> Use "Distribution Groups". Once I created distribution groups in the OU I was able to freely assing users to them and remove them as required. Now this is definetly not best pratice, but until the same is possible in an easy way with Security Groups this will well serve the purpose. Cheers & best, Andreas PS: Marc thx a lot for your help before - since I read a bit more about GIT, I know understand much better the Samba4 building howto and how to get the latest stable version. It's all good now ;-) *On 08 May 2013 23:00, Marc Muehlfeld has written: *> Hello Andreas, > > Am 08.05.2013 20:08, schrieb Andreas Krupp: > > Thx a lot for the quick reply. > > I will try to upgrade or possibly reinstall my Samba4 Instance. > > At the moment the command returns me: 4.1.Opre1-GIT-5f2edd1 > > I guess that is not really right version or the latest release. > > I tried your command to reset the ACLs but that command is not part of my > > dbcheck. I tried and could not find your command in the list either. So I > > am starting to think that my problems maybe come from the entire version. > > > > I will set up a VM, reinstall centos + samba4 and see if that works better > > :) > > The '--reset-well-known-acls' option was introduced in 4.0.5 (this is > the latest version). > > Maybe someone else on the list can say if you can switch from your git > version to 4.0.5. > > > Regards, > Marc > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 & Delegation
Hello Andreas, Am 08.05.2013 20:08, schrieb Andreas Krupp: Thx a lot for the quick reply. I will try to upgrade or possibly reinstall my Samba4 Instance. At the moment the command returns me: 4.1.Opre1-GIT-5f2edd1 I guess that is not really right version or the latest release. I tried your command to reset the ACLs but that command is not part of my dbcheck. I tried and could not find your command in the list either. So I am starting to think that my problems maybe come from the entire version. I will set up a VM, reinstall centos + samba4 and see if that works better :) The '--reset-well-known-acls' option was introduced in 4.0.5 (this is the latest version). Maybe someone else on the list can say if you can switch from your git version to 4.0.5. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 & Delegation
Hello Andreas, Am 06.05.2013 20:38, schrieb Andreas Krupp: 1) Even if I give this service account "Full Control" on (2) where the users are, it only works with newly created users (the rights do not get inherited and I have not come across a good post on how to do that) 2) If I give rights to Read/Write the "memberOf" property, I have the same result - it simply does not work (I tried this by giving permissions on a single user and then trying to assign him to a group). Actually, even if I give "Full Control" on a single user, I cannot assign him one of my groups. Any hints of where or how I should approach this? Have you seen the delegation wiki page? http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation The example 'join machines as non-domain-admin permissions', works great here. I think, you did the delegation on the same way, didn't you? What version of Samba are you running on your DC and which version you did the provisioning? There were some ACL changes during the past version, because earlier versions don't set all permissions. You can run 'samba-tool dbcheck --reset-well-known-acls --fix' to reset all ACLs on the directory to it's default. This fixed my ACL/delegation problems I had here. But: You loose all existing delegations and have to re-create them! One more note about the reset: Run it multiple times, until there are no complains about wrong ACLs any more. It maybe doesn't fix everything on the first run (Bug #9786). Make a backup of your installation before you reset - just to be save :-) Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
