samba - Sep 2016 - Winbind / Samba auth problem after username change

Hi Mathias,

thanks for your advice on how to use getent. However you’re mentioning SSSD
which is working fine. I was referring to it because we changed to that method
lately but the server having the problem is NOT using this new method but the
old winbind+samba combination.

Sorry it it was confusing.

Cheers,
Julian

Von: mathias dufresne [mailto:infractory at gmail.com]
Gesendet: Dienstag, 6. September 2016 10:44
An: Julian Zielke <jzielke at next-level-integration.com<mailto:jzielke at
next-level-integration.com>>
Cc: samba at lists.samba.org<mailto:samba at lists.samba.org>
Betreff: Re: [Samba] Winbind / Samba auth problem after username change

Hi,
You had a working environment using Winbind to retrieve user from AD.
You had to change that and now you have replaced Winbind by SSSD.
You changed some user names, those can't login any more.
When using "getent passwd | grep <username>" you have response.
A small note: rather than "getent passwd | grep <username>"
which is resource consuming you can do "getent passwd
<username>". You ask here for one user only which needs less
resources, you should have one line as a response.
For me your configuration is almost good, at least for the part which is
responsible to retrieve users from the domain.
It seems you are lacking some configuration to tell SSSD which group can login
(because of "not allowed because none of user's groups are listed in
AllowGroups").
Add some groups in "AllowGroups" or don't use that feature. That
should let your users log in.
Cheers,
M.

2016-09-06 10:17 GMT+02:00 Julian Zielke via samba <samba at
lists.samba.org<mailto:samba at lists.samba.org>>:
Hi,

before we switched to SSSD we've been implementing the ssh authentication
method via Domain using winbind+samba.
Version installed on our machines is (still) 2:4.1.6+dfsg-1ubuntu2.14.04.13. So
far everything has been working fine, however
after we had to change a user's logon name in the domain he can't login
anymore. auth.log shows still his old username followed by "from <IP>
not allowed because none of user's groups are listed in AllowGroups". I
searched several websites for a solution but only found recommendations on
deleting
the winbind cache at /var/lib/samba. However this didn't fix the problem.
When I do a grep using getent passwd on the users NEW name, it shows up.
So actually the domain controllers is delivering the correct username.

Is this a known bug in version 4.1.6 or can I solve this any other way without
running a package upgrade on a production machine?

Cheers
Julian

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschlie?lich
f?r den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene
Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie
bitte, dass jede Form der Kenntnisnahme, Ver?ffentlichung, Vervielf?ltigung oder
Weitergabe des Inhalts dieser E-Mail unzul?ssig ist. Wir bitten Sie, sich in
diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir m?chten Sie
au?erdem darauf hinweisen, dass die Kommunikation per E-Mail ?ber das Internet
unsicher ist, da f?r unberechtigte Dritte grunds?tzlich die M?glichkeit der
Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is
intended solely for the addressee. Access to this e-mail by anyone else is
unauthorized. If you are not the intended recipient, any form of disclosure,
reproduction, distribution or any action taken or refrained from in reliance on
it, is prohibited and may be unlawful. Please notify the sender immediately. We
also would like to inform you that communication via e-mail over the internet is
insecure because third parties may have the possibility to access and manipulate
e-mails.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich
für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene
Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie
bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder
Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in
diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie
außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet
unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der
Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is
intended solely for the addressee. Access to this e-mail by anyone else is
unauthorized. If you are not the intended recipient, any form of disclosure,
reproduction, distribution or any action taken or refrained from in reliance on
it, is prohibited and may be unlawful. Please notify the sender immediately. We
also would like to inform you that communication via e-mail over the internet is
insecure because third parties may have the possibility to access and manipulate
e-mails.

On Tue, 6 Sep 2016 09:15:09 +0000
Julian Zielke via samba <samba at lists.samba.org> wrote:
> Hi Mathias,
> 
> thanks for your advice on how to use getent. However you’re
> mentioning SSSD which is working fine. I was referring to it because
> we changed to that method lately but the server having the problem is
> NOT using this new method but the old winbind+samba combination.
> 
> Sorry it it was confusing.
> 
> Cheers,
> Julian
If you are using a fairly recent version of sssd, you are using a
version of a Samba winbind lib, so just changing to sssd shouldn't give
problems.

First and foremost, all your users & groups are stored in AD as windows
users & groups i.e. they have a SID-RID
So if you change a login name, it shouldn't affect anything else, so
when I asked how you changed the login name, perhaps I should have
asked, what did you change ?

Rowland

Well we've changed the logon name (SAMAccountName) and the Name and Surname
of the user object.

-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rpenny at samba.org]
Gesendet: Dienstag, 6. September 2016 11:37
An: samba at lists.samba.org
Cc: Julian Zielke <jzielke at next-level-integration.com>
Betreff: Re: [Samba] Winbind / Samba auth problem after username change

On Tue, 6 Sep 2016 09:15:09 +0000
Julian Zielke via samba <samba at lists.samba.org> wrote:
> Hi Mathias,
>
> thanks for your advice on how to use getent. However you’re mentioning
> SSSD which is working fine. I was referring to it because we changed
> to that method lately but the server having the problem is NOT using
> this new method but the old winbind+samba combination.
>
> Sorry it it was confusing.
>
> Cheers,
> Julian
If you are using a fairly recent version of sssd, you are using a version of a
Samba winbind lib, so just changing to sssd shouldn't give problems.

First and foremost, all your users & groups are stored in AD as windows
users & groups i.e. they have a SID-RID So if you change a login name, it
shouldn't affect anything else, so when I asked how you changed the login
name, perhaps I should have asked, what did you change ?

Rowland
Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich
für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene
Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie
bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder
Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in
diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie
außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet
unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der
Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is
intended solely for the addressee. Access to this e-mail by anyone else is
unauthorized. If you are not the intended recipient, any form of disclosure,
reproduction, distribution or any action taken or refrained from in reliance on
it, is prohibited and may be unlawful. Please notify the sender immediately. We
also would like to inform you that communication via e-mail over the internet is
insecure because third parties may have the possibility to access and manipulate
e-mails.

Hum...

All users are OK except the one(s) you changed there names. No other
modification in configuration, all others users are working well.
Is that true?

This broken user is correctly shown using "getent passwd <NEW
username>"?
Is that true?

Can you use that user on system side, I would try, as root, "su - <NEW
username>". This last test is to verify all is well configured about
that
user with new name. If it complains about missing home directory or
anything else, that could be the cause SSH refuse to let that user connect
on the system.




2016-09-06 11:36 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 6 Sep 2016 09:15:09 +0000
> Julian Zielke via samba <samba at lists.samba.org> wrote:
>
> > Hi Mathias,
> >
> > thanks for your advice on how to use getent. However you’re
> > mentioning SSSD which is working fine. I was referring to it because
> > we changed to that method lately but the server having the problem is
> > NOT using this new method but the old winbind+samba combination.
> >
> > Sorry it it was confusing.
> >
> > Cheers,
> > Julian
>
> If you are using a fairly recent version of sssd, you are using a
> version of a Samba winbind lib, so just changing to sssd shouldn't give
> problems.
>
> First and foremost, all your users & groups are stored in AD as windows
> users & groups i.e. they have a SID-RID
> So if you change a login name, it shouldn't affect anything else, so
> when I asked how you changed the login name, perhaps I should have
> asked, what did you change ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>