Christoph Peus wrote:
we have been using a samba setup with samba being an AD member, idmap
backend = ad and winbind nss info = rfc2307 for several month without
problems yet.
But it turns out now that we cannot move useraccounts in AD from the
original location
"CN=Users,dc=uni-wh,dc=de"
to a newly created OU
"OU=uwhusers,dc=uni-wh,dc=de"
because winbind doesn't get correct values for homedir and shell anymore:
before: (correct output)
lunkwill samba # getent passwd test
test:*:51703:10645:test:/home/test:/bin/ksh
after: (wrong output)
lunkwill samba # getent passwd test
test:*:51703:10645:test:/home/UWH/test:/bin/false
This turned out to be caused by insufficient permissions of the OU and
could be solved by adding the "Read all attributes" right to all user
objects in the group of "Authenticated Users".
This works for us now, but it should be added to the samba documentation
which permissions at least must be given to which AD group to make the
AD membership and "nss info = rfc2307" work, because the default
permissions of a new OU are obviously insufficient. I guess that "Read
all attributes" is much more than needed. (It's just ok for our setup
without the risk of missing soemthing needed...)
Thanks!
Christoph
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
