Rowland Penny
2016-Sep-06 14:10 UTC
[Samba] Winbind / Samba auth problem after username change
On Tue, 6 Sep 2016 13:59:43 +0000 Julian Zielke via samba <samba at lists.samba.org> wrote:> BTW, this is our smb.conf: > > # Global parameters > [global] > workgroup = mydomain > realm = mydomain.local > netbios name = myhostname > server string = Samba AD Client Version %v > security = ads > password server = dc03, dc04, dc01, dc02, *You should let Samba find the password server, so I would change the above to just 'password server = *', which is a default setting, so you might as well delete the line.> server role = standalone serverNo, if you use 'security = ads' then it is 'server role = member server'> > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = noThis is the default setting.> winbind refresh tickets = Yes > winbind offline logon = true > winbind nested groups = yes > > template shell = /bin/bash > > idmap config * : range = 16777216-33554431 > idmap config mydomain : backend = rid > idmap config mydomain : range = 16777216-33554431And this is a no-no, the ranges must not overlap, never mind overlap, yours are the same.> > log file = /var/log/samba/log.%m > max log size = 1000 > printing = bsd > printcap name = /dev/null > > >Rowland
Julian Zielke
2016-Sep-06 14:56 UTC
[Samba] Winbind / Samba auth problem after username change
OK, I've commented out that line, leaving only:> idmap config mydomain : backend = rid > idmap config mydomain : range = 16777216-33554431in the config file. Also I did a net cache flush and deleted the database files at /var/lib/samba. Still nothing...same old username when querying the new one using getent passwd. I noticed the user having an ID of 4294967295 which exceeds the limit in the config file. Is this normal? Also I created a new domain user which could log in, changed the name and the same happened.> -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > Rowland Penny via samba > Gesendet: Dienstag, 6. September 2016 16:10 > An: samba at lists.samba.org > Betreff: Re: [Samba] Winbind / Samba auth problem after username change > > On Tue, 6 Sep 2016 13:59:43 +0000 > Julian Zielke via samba <samba at lists.samba.org> wrote: > > > BTW, this is our smb.conf: > > > > # Global parameters > > [global] > > workgroup = mydomain > > realm = mydomain.local > > netbios name = myhostname > > server string = Samba AD Client Version %v > > security = ads > > password server = dc03, dc04, dc01, dc02, * > > You should let Samba find the password server, so I would change the > above to just 'password server = *', which is a default setting, so > you might as well delete the line. > > > server role = standalone server > > No, if you use 'security = ads' then it is 'server role = member server' > > > > > winbind separator = + > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = no > > This is the default setting. > > > winbind refresh tickets = Yes > > winbind offline logon = true > > winbind nested groups = yes > > > > template shell = /bin/bash > > > > idmap config * : range = 16777216-33554431 > > idmap config mydomain : backend = rid > > idmap config mydomain : range = 16777216-33554431 > > And this is a no-no, the ranges must not overlap, never mind overlap, > yours are the same. > > > > > log file = /var/log/samba/log.%m > > max log size = 1000 > > printing = bsd > > printcap name = /dev/null > > > > > > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaWichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.
Rowland Penny
2016-Sep-06 15:07 UTC
[Samba] Winbind / Samba auth problem after username change
On Tue, 6 Sep 2016 14:56:20 +0000 Julian Zielke <jzielke at next-level-integration.com> wrote:> OK, I've commented out that line, leaving only: > > > idmap config mydomain : backend = rid > > idmap config mydomain : range = 16777216-33554431 > > in the config file. > > Also I did a net cache flush and deleted the database files > at /var/lib/samba. Still nothing...same old username when querying > the new one using getent passwd. I noticed the user having an ID of > 4294967295 which exceeds the limit in the config file. Is this > normal? Also I created a new domain user which could log in, changed > the name and the same happened. > >So, 'getent passwd oldusername' produces a result, so where is it coming from ? Have you checked /etc/passwd ? What is in the 'passwd' and 'group' lines in /etc/nsswitch.conf ? You say that this computer is using winbind and not sssd, if so, can I suggest you have a look here: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Rowland