Chris Hastie
2016-Feb-16 15:32 UTC
[Samba] Password changes and syncing passwords with Linux accounts
On 16/02/2016 14:55, Rowland penny wrote:> This is strange, just logging in shouldn't create a user in AD and when > you see MYDOMAIN\chris this is just winbind i.e. > > How are you logging into the DC that causes the creation of a user in AD ?From another machine, in an Ubuntu terminal ssh chris at dc.domain No keys, just typing the password when prompted. The only odd thing is that I'm doing it from root, just to avoid ssh using a key if I do it from my own account, since this whole saga started with passwords.
Rowland penny
2016-Feb-16 16:01 UTC
[Samba] Password changes and syncing passwords with Linux accounts
On 16/02/16 15:32, Chris Hastie wrote:> On 16/02/2016 14:55, Rowland penny wrote: >> This is strange, just logging in shouldn't create a user in AD and when >> you see MYDOMAIN\chris this is just winbind i.e. >> >> How are you logging into the DC that causes the creation of a user in >> AD ? > From another machine, in an Ubuntu terminal > > ssh chris at dc.domain > > No keys, just typing the password when prompted. The only odd thing is > that I'm doing it from root, just to avoid ssh using a key if I do it > from my own account, since this whole saga started with passwords. >This shouldn't do anything to AD, in fact if the user didn't exist, you should get access denied. Do you have the ldb-tools package installed on the DC ? if not can you install it, then run this command: ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectclass=user)(samaccountname=*))' | grep chris Can you post the results. Rowland
Chris Hastie
2016-Feb-16 16:29 UTC
[Samba] Password changes and syncing passwords with Linux accounts
On 16/02/16 16:01, Rowland penny wrote:> Do you have the ldb-tools package installed on the DC ? if not can you > install it, then run this command: > > ldbsearch -H /var/lib/samba/private/sam.ldb > '(&(objectclass=user)(samaccountname=*))' | grep chris > > Can you post the results.Here you go, without any changes to generic names (ie I've kept my actual domain name of NUMBER37 instead of changing it to MYDOMAIN): dn: CN=NUMBER37chris,CN=Users,DC=ad,DC=oak-wood,DC=co,DC=uk cn: NUMBER37chris name: NUMBER37chris sAMAccountName: NUMBER37\chris distinguishedName: CN=NUMBER37chris,CN=Users,DC=ad,DC=oak-wood,DC=co,DC=uk dn: CN=chris,CN=Users,DC=ad,DC=oak-wood,DC=co,DC=uk cn: chris name: chris sAMAccountName: chris unixHomeDirectory: /home/chris distinguishedName: CN=chris,CN=Users,DC=ad,DC=oak-wood,DC=co,DC=uk