Christoph Peus
2007-Oct-23 20:54 UTC
[Samba] winbind nss info = rfc2307 doesn't work when users not in "Users" Container?
Hi all, we have been using a samba setup with samba being an AD member, idmap backend = ad and winbind nss info = rfc2307 for several month without problems yet. But it turns out now that we cannot move useraccounts in AD from the original location "CN=Users,dc=uni-wh,dc=de" to a newly created OU "OU=uwhusers,dc=uni-wh,dc=de" because winbind doesn't get correct values for homedir and shell anymore: before: (correct output) lunkwill samba # getent passwd test test:*:51703:10645:test:/home/test:/bin/ksh after: (wrong output) lunkwill samba # getent passwd test test:*:51703:10645:test:/home/UWH/test:/bin/false This is perfectly reproducible by moving accounts from the Users container to the OU and back again. I can't believe that this is by design... Any idea? Our config: samba 3.0.24 security = ADS password server = * ldap ssl = no idmap uid = 1000-60000 idmap gid = 1000-60000 idmap backend = ad winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind cache time = 300 Thanks for your help! Christoph
Christoph Peus
2007-Oct-24 10:03 UTC
[Samba] Re: winbind nss info = rfc2307 doesn't work when users not in "Users" Container? - solved
Christoph Peus wrote:> we have been using a samba setup with samba being an AD member, idmap > backend = ad and winbind nss info = rfc2307 for several month without > problems yet. > But it turns out now that we cannot move useraccounts in AD from the > original location > "CN=Users,dc=uni-wh,dc=de" > to a newly created OU > "OU=uwhusers,dc=uni-wh,dc=de" > because winbind doesn't get correct values for homedir and shell anymore: > > before: (correct output) > lunkwill samba # getent passwd test > test:*:51703:10645:test:/home/test:/bin/ksh > > after: (wrong output) > lunkwill samba # getent passwd test > test:*:51703:10645:test:/home/UWH/test:/bin/falseThis turned out to be caused by insufficient permissions of the OU and could be solved by adding the "Read all attributes" right to all user objects in the group of "Authenticated Users". This works for us now, but it should be added to the samba documentation which permissions at least must be given to which AD group to make the AD membership and "nss info = rfc2307" work, because the default permissions of a new OU are obviously insufficient. I guess that "Read all attributes" is much more than needed. (It's just ok for our setup without the risk of missing soemthing needed...) Thanks! Christoph
Christoph Peus
2007-Oct-24 10:10 UTC
[Samba] Re: winbind nss info = rfc2307 doesn't work when users not in "Users" Container? - solved
Christoph Peus wrote:> we have been using a samba setup with samba being an AD member, idmap > backend = ad and winbind nss info = rfc2307 for several month without > problems yet. > But it turns out now that we cannot move useraccounts in AD from the > original location > "CN=Users,dc=uni-wh,dc=de" > to a newly created OU > "OU=uwhusers,dc=uni-wh,dc=de" > because winbind doesn't get correct values for homedir and shell anymore: > > before: (correct output) > lunkwill samba # getent passwd test > test:*:51703:10645:test:/home/test:/bin/ksh > > after: (wrong output) > lunkwill samba # getent passwd test > test:*:51703:10645:test:/home/UWH/test:/bin/falseThis turned out to be caused by insufficient permissions of the OU and could be solved by adding the "Read all attributes" right to all user objects in the group of "Authenticated Users". This works for us now, but it should be added to the samba documentation which permissions at least must be given to which AD group to make the AD membership and "nss info = rfc2307" work, because the default permissions of a new OU are obviously insufficient. I guess that "Read all attributes" is much more than needed. (It's just ok for our setup without the risk of missing soemthing needed...) Thanks! Christoph