[Samba] winbind when machine account is not allowed to read users from ad
Andrew Bartlett
abartlet at samba.org
Sun Dec 8 11:07:13 MST 2013
On Tue, 2013-12-03 at 14:08 +0100, Stefan Heß wrote:
> HI,
>
> I want to use samba winbind (3.6.18 - Ubuntu) to login to a machine
> using ads. The problem I have is that the ad server (win 2008) does not
> grant read access to the user list for the machine account. Only each
> user can read his own entry. Due to the privacy police this behaviour
> can not be changed.
> How do I tell winbind to use the user account to look up the user and
> not use the machine account.
> Kerberos is working fine: kinit user at DOAIN.NET gives a ticket.
> Also ntlm_auth is also working:
> ntlm_auth --username=USER -> NT_STATUS_OK: Success (0x0)
>
> wbinfo -u only show local users and old (deprecated) domain users.
> wbinfo -g works normal. (groups are readable by machine accounts)
>
> For idmap we use the rid mechanism.
>
> Has anybody a hint how to solve this issue?
Which type of login is this? Access over SMB or local user login?
Either way, this is a very interesting restriction we have not come
across before.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list