[Samba] Re: winbind nss info = rfc2307 doesn't work when users not
in "Users" Container? - solved
Christoph Peus
cp at uni-wh.de
Wed Oct 24 10:03:00 GMT 2007
Christoph Peus wrote:
> we have been using a samba setup with samba being an AD member, idmap
> backend = ad and winbind nss info = rfc2307 for several month without
> problems yet.
> But it turns out now that we cannot move useraccounts in AD from the
> original location
> "CN=Users,dc=uni-wh,dc=de"
> to a newly created OU
> "OU=uwhusers,dc=uni-wh,dc=de"
> because winbind doesn't get correct values for homedir and shell anymore:
>
> before: (correct output)
> lunkwill samba # getent passwd test
> test:*:51703:10645:test:/home/test:/bin/ksh
>
> after: (wrong output)
> lunkwill samba # getent passwd test
> test:*:51703:10645:test:/home/UWH/test:/bin/false
This turned out to be caused by insufficient permissions of the OU and
could be solved by adding the "Read all attributes" right to all user
objects in the group of "Authenticated Users".
This works for us now, but it should be added to the samba documentation
which permissions at least must be given to which AD group to make the
AD membership and "nss info = rfc2307" work, because the default
permissions of a new OU are obviously insufficient. I guess that "Read
all attributes" is much more than needed. (It's just ok for our setup
without the risk of missing soemthing needed...)
Thanks!
Christoph
More information about the samba
mailing list