[Samba] Re: winbind nss info = rfc2307 doesn't work when users not in "Users" Container? - solved

Christoph Peus cp at uni-wh.de
Wed Oct 24 10:03:00 GMT 2007

Christoph Peus wrote:

> we have been using a samba setup with samba being an AD member, idmap 
> backend = ad and winbind nss info = rfc2307 for several month without 
> problems yet.
> But it turns out now that we cannot move useraccounts in AD from the
> original location
> "CN=Users,dc=uni-wh,dc=de"
> to a newly created OU
> "OU=uwhusers,dc=uni-wh,dc=de"
> because winbind doesn't get correct values for homedir and shell anymore:
> before: (correct output)
> lunkwill samba # getent passwd test
> test:*:51703:10645:test:/home/test:/bin/ksh
> after: (wrong output)
> lunkwill samba # getent passwd test
> test:*:51703:10645:test:/home/UWH/test:/bin/false

This turned out to be caused by insufficient permissions of the OU and 
could be solved by adding the "Read all attributes" right to all user 
objects in the group of "Authenticated Users".

This works for us now, but it should be added to the samba documentation 
which permissions at least must be given to which AD group to make the 
AD membership and "nss info = rfc2307" work, because the default 
permissions of a new OU are obviously insufficient. I guess that "Read 
all attributes" is much more than needed. (It's just ok for our setup 
without the risk of missing soemthing needed...)


More information about the samba mailing list