Julian Zielke
2016-Sep-06 08:46 UTC
[Samba] Winbind / Samba auth problem after username change
Hi Rowland, we're using the Windows mmc for administrating samba sernet DCs running samba-sernet-ad 4.2.11-9. 4 Domain controllers are present. Primary DC replicates to a second in our local office and to 2 others in a vpn connected network. Changes are made on our primary dc always. DC 3 and 4 and the primary and secondary DC responsible for ssh authentication on our linux boxes having the problem. Cheers, Julian -----Ursprüngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny via samba Gesendet: Dienstag, 6. September 2016 10:31 An: samba at lists.samba.org Betreff: Re: [Samba] Winbind / Samba auth problem after username change On Tue, 6 Sep 2016 08:17:12 +0000 Julian Zielke via samba <samba at lists.samba.org> wrote:> Hi, > > before we switched to SSSD we've been implementing the ssh > authentication method via Domain using winbind+samba. Version > installed on our machines is (still) 2:4.1.6+dfsg-1ubuntu2.14.04.13. > So far everything has been working fine, however after we had to > change a user's logon name in the domain he can't login anymore. > auth.log shows still his old username followed by "from <IP> not > allowed because none of user's groups are listed in AllowGroups". I > searched several websites for a solution but only found > recommendations on deleting the winbind cache at /var/lib/samba. > However this didn't fix the problem. When I do a grep using getent > passwd on the users NEW name, it shows up. So actually the domain > controllers is delivering the correct username. > > Is this a known bug in version 4.1.6 or can I solve this any other way > without running a package upgrade on a production machine? > > Cheers > Julian >How did you change the users logon name ? Have you checked the users object in AD ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.
mathias dufresne
2016-Sep-06 09:04 UTC
[Samba] Winbind / Samba auth problem after username change
My bad, it seems to be a ssh configuration: http://askubuntu.com/questions/545058/ssh-allow-windows-ad-groupswith-special-charactors 2016-09-06 10:46 GMT+02:00 Julian Zielke via samba <samba at lists.samba.org>:> Hi Rowland, > > we're using the Windows mmc for administrating samba sernet DCs running > samba-sernet-ad 4.2.11-9. > 4 Domain controllers are present. Primary DC replicates to a second in our > local office and to 2 others in a vpn connected network. > Changes are made on our primary dc always. DC 3 and 4 and the primary and > secondary DC responsible for ssh authentication on our linux boxes > having the problem. > > Cheers, > Julian > > -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland > Penny via samba > Gesendet: Dienstag, 6. September 2016 10:31 > An: samba at lists.samba.org > Betreff: Re: [Samba] Winbind / Samba auth problem after username change > > On Tue, 6 Sep 2016 08:17:12 +0000 > Julian Zielke via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > before we switched to SSSD we've been implementing the ssh > > authentication method via Domain using winbind+samba. Version > > installed on our machines is (still) 2:4.1.6+dfsg-1ubuntu2.14.04.13. > > So far everything has been working fine, however after we had to > > change a user's logon name in the domain he can't login anymore. > > auth.log shows still his old username followed by "from <IP> not > > allowed because none of user's groups are listed in AllowGroups". I > > searched several websites for a solution but only found > > recommendations on deleting the winbind cache at /var/lib/samba. > > However this didn't fix the problem. When I do a grep using getent > > passwd on the users NEW name, it shows up. So actually the domain > > controllers is delivering the correct username. > > > > Is this a known bug in version 4.1.6 or can I solve this any other way > > without running a package upgrade on a production machine? > > > > Cheers > > Julian > > > > How did you change the users logon name ? > Have you checked the users object in AD ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der > vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so > beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in > Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die > Kommunikation per E-Mail über das Internet unsicher ist, da für > unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und > Manipulation besteht > > Important Note: The information contained in this e-mail is confidential. > It is intended solely for the addressee. Access to this e-mail by anyone > else is unauthorized. If you are not the intended recipient, any form of > disclosure, reproduction, distribution or any action taken or refrained > from in reliance on it, is prohibited and may be unlawful. Please notify > the sender immediately. We also would like to inform you that communication > via e-mail over the internet is insecure because third parties may have the > possibility to access and manipulate e-mails. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Julian Zielke
2016-Sep-06 09:20 UTC
[Samba] Winbind / Samba auth problem after username change
Hi Mathias, well we’ve allowed the sshd to give access tot he group domain users. All other users are working fine so it shouldn’t be an error within sshd.conf.. The only difference is appearing in the auth.log where just for the user with the changed name the old username appears first, followed by some more lines (requesting password) for the new username. It’s like this: user tries to login with new username > sshd sends login to winbind/samba > winbind/samba somehow links this login to old username > auth.log show old username being not part of any group (of course, the user doesn’t exist with that name anymore). I know every user in winbind is linked to a unique UID so maybe winbind looks up the same UID which the older user had but now the new username matching the same UID confuses the service. There must be some kind of cache because on another machine running the same authentication method the old username doesn’t show up (probably because the user never logged in there with his old name so the “cache” is clean). Cheers, Julian Von: mathias dufresne [mailto:infractory at gmail.com] Gesendet: Dienstag, 6. September 2016 11:05 An: Julian Zielke <jzielke at next-level-integration.com> Cc: samba at lists.samba.org Betreff: Re: [Samba] Winbind / Samba auth problem after username change My bad, it seems to be a ssh configuration: http://askubuntu.com/questions/545058/ssh-allow-windows-ad-groupswith-special-charactors 2016-09-06 10:46 GMT+02:00 Julian Zielke via samba <samba at lists.samba.org<mailto:samba at lists.samba.org>>: Hi Rowland, we're using the Windows mmc for administrating samba sernet DCs running samba-sernet-ad 4.2.11-9. 4 Domain controllers are present. Primary DC replicates to a second in our local office and to 2 others in a vpn connected network. Changes are made on our primary dc always. DC 3 and 4 and the primary and secondary DC responsible for ssh authentication on our linux boxes having the problem. Cheers, Julian -----Ursprüngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>] Im Auftrag von Rowland Penny via samba Gesendet: Dienstag, 6. September 2016 10:31 An: samba at lists.samba.org<mailto:samba at lists.samba.org> Betreff: Re: [Samba] Winbind / Samba auth problem after username change On Tue, 6 Sep 2016 08:17:12 +0000 Julian Zielke via samba <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote:> Hi, > > before we switched to SSSD we've been implementing the ssh > authentication method via Domain using winbind+samba. Version > installed on our machines is (still) 2:4.1.6+dfsg-1ubuntu2.14.04.13. > So far everything has been working fine, however after we had to > change a user's logon name in the domain he can't login anymore. > auth.log shows still his old username followed by "from <IP> not > allowed because none of user's groups are listed in AllowGroups". I > searched several websites for a solution but only found > recommendations on deleting the winbind cache at /var/lib/samba. > However this didn't fix the problem. When I do a grep using getent > passwd on the users NEW name, it shows up. So actually the domain > controllers is delivering the correct username. > > Is this a known bug in version 4.1.6 or can I solve this any other way > without running a package upgrade on a production machine? > > Cheers > Julian >How did you change the users logon name ? Have you checked the users object in AD ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.