Bug 5964 - Windows2003R2-sp2 OU must have "authenticated users" read access for winbindd see users in it.
Summary: Windows2003R2-sp2 OU must have "authenticated users" read access for winbindd...
Status: NEW
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.2.4
Hardware: x86 Linux
: P3 minor
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-13 09:04 UTC by Erik Sørnes
Modified: 2009-05-13 03:57 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Sørnes 2008-12-13 09:04:06 UTC 
When "authticated users" are denied read access on (or removed entirely from) a windows 20003R2-sp2 active directory OU, users in that OU are no longer accessible to winbind,
Example
: getent passwd -u <username i said OU> does no longer work
: chown <username i said OU> does no longer work
: users in said OU can no longer access domain-member-samba-servers' shares from their windowsXP/2003R2 workstaitions (they have no problem loggging on to the domain with thier workstaitions and access shares on windows file servers).

Windows XP/2003R2 -clients and -fileservers are fully able to access user in that OU, even with "authenticated users" removed.

Is this a bug in SAMBA, since it works from windows? Or is it a bug in windows or something else?

We are not able to reproduce the problem in a windows2003 (not R2) sp1 domain,  but we dont know if this has to do with sp1/sp2 or windows2003/windows2003R2 (or maby something else -- the windows2003 domain are in forrest mixed mode, while windows2003R2 are in forrest native mode).

-kind regards 
Erik
Comment 1 Erik Sørnes 2008-12-13 09:14:40 UTC 
Our linux servers are all joined to the domain with "net ads join" (kerberos/ads)