[Samba] winbind when machine account is not allowed to read users from ad

Andrew Bartlett abartlet at samba.org
Sun Dec 8 11:07:13 MST 2013

On Tue, 2013-12-03 at 14:08 +0100, Stefan Heß wrote:
> HI,
> I want to use samba winbind (3.6.18 - Ubuntu) to login to a machine
> using ads. The problem I have is that the ad server (win 2008) does not
> grant read access to the user list for the machine account. Only each
> user can read his own entry. Due to the privacy police this behaviour
> can not be changed.
> How do I tell winbind to use the user account to look up the user and
> not use the machine account.
> Kerberos is working fine: kinit user at DOAIN.NET gives a ticket.
> Also ntlm_auth is also working:
> ntlm_auth --username=USER -> NT_STATUS_OK: Success (0x0)
> wbinfo -u only show local users and old (deprecated) domain users.
> wbinfo -g works normal. (groups are readable by machine accounts)
> For idmap we use the rid mechanism.
> Has anybody a hint how to solve this issue?

Which type of login is this?  Access over SMB or local user login?

Either way, this is a very interesting restriction we have not come
across before. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list