Rowland Penny
2016-Sep-06 11:55 UTC
[Samba] Winbind / Samba auth problem after username change
On Tue, 6 Sep 2016 11:41:59 +0000 Julian Zielke via samba <samba at lists.samba.org> wrote:> OK I think I got some more information for you guys. I just did > “getent passwd <NEWusername>” and got: <OLD > username>:*:<ID>:<ID2>::/home/…/<OLD username>:/bin/bash. > > When I do “su - <NEW username>” I get a valid shell with notification > “No directory, logging in with HOME=/”. When I do the same with the > OLD username I get “No passwd entry for user '<OLD username>'”. > > It’s like the new name is the only valid one but still has a hardlink > to the old one… really weird… > > > Von: mathias dufresne [mailto:infractory at gmail.com] > Gesendet: Dienstag, 6. September 2016 13:30 > An: Rowland Penny <rpenny at samba.org> > Cc: samba <samba at lists.samba.org>; Julian Zielke > <jzielke at next-level-integration.com> Betreff: Re: [Samba] Winbind / > Samba auth problem after username change > > Hum... > All users are OK except the one(s) you changed there names. No other > modification in configuration, all others users are working well. Is > that true? This broken user is correctly shown using "getent passwd > <NEW username>"? Is that true? > > Can you use that user on system side, I would try, as root, "su - > <NEW username>". This last test is to verify all is well configured > about that user with new name. If it complains about missing home > directory or anything else, that could be the cause SSH refuse to let > that user connect on the system. > > > > 2016-09-06 11:36 GMT+02:00 Rowland Penny via samba > <samba at lists.samba.org<mailto:samba at lists.samba.org>>: On Tue, 6 Sep > 2016 09:15:09 +0000 Julian Zielke via samba > <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote: > > > Hi Mathias, > > > > thanks for your advice on how to use getent. However you’re > > mentioning SSSD which is working fine. I was referring to it because > > we changed to that method lately but the server having the problem > > is NOT using this new method but the old winbind+samba combination. > > > > Sorry it it was confusing. > > > > Cheers, > > Julian > > If you are using a fairly recent version of sssd, you are using a > version of a Samba winbind lib, so just changing to sssd shouldn't > give problems. > > First and foremost, all your users & groups are stored in AD as > windows users & groups i.e. they have a SID-RID > So if you change a login name, it shouldn't affect anything else, so > when I asked how you changed the login name, perhaps I should have > asked, what did you change ? > > Rowland >As you don't seem to want to answer my question, I will tell you what I think is going on. lets take a user called 'Test User' who is a member of a group called 'A Group', if you examine their object in AD, You will find something like this: user cn=Test User,CN=Users,DC=samdom,DC=example,DC=com samaccountname: test ........ memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com If you also examine the groups object: dn: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com ....... member: CN=Test User,CN=Users,DC=samdom,DC=example,DC=com If you now change 'Test Users' name to 'Someone Else', you will also change various other things: user cn=Someone Else,CN=Users,DC=samdom,DC=example,DC=com samaccountname: someone ........ memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com But I do not think you will change the 'member' line in the groups object, it will still refer to 'Test User', who doesn't exist any more. This means that 'Someone Else' isn't a member of 'A Group', even though the users object contains a 'memberOf' attribute that says they are. Is this what is going on in your AD ??? Rowland
Julian Zielke
2016-Sep-06 12:20 UTC
[Samba] Winbind / Samba auth problem after username change
Huh? I did answer you on your question what we have changed: -----Ursprüngliche Nachricht----- Von: Julian Zielke Gesendet: Dienstag, 6. September 2016 12:57 An: samba at lists.samba.org Betreff: AW: [Samba] Winbind / Samba auth problem after username change Well we've changed the logon name (SAMAccountName) and the Name and Surname of the user object. Or was there any other question I probably see by the amount of quotes? Cheers, Julian -----Ursprüngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny via samba Gesendet: Dienstag, 6. September 2016 13:55 An: samba at lists.samba.org Betreff: Re: [Samba] Winbind / Samba auth problem after username change On Tue, 6 Sep 2016 11:41:59 +0000 Julian Zielke via samba <samba at lists.samba.org> wrote:> OK I think I got some more information for you guys. I just did > “getent passwd <NEWusername>” and got: <OLD > username>:*:<ID>:<ID2>::/home/…/<OLD username>:/bin/bash. > > When I do “su - <NEW username>” I get a valid shell with notification > “No directory, logging in with HOME=/”. When I do the same with the > OLD username I get “No passwd entry for user '<OLD username>'”. > > It’s like the new name is the only valid one but still has a hardlink > to the old one… really weird… > > > Von: mathias dufresne [mailto:infractory at gmail.com] > Gesendet: Dienstag, 6. September 2016 13:30 > An: Rowland Penny <rpenny at samba.org> > Cc: samba <samba at lists.samba.org>; Julian Zielke > <jzielke at next-level-integration.com> Betreff: Re: [Samba] Winbind / > Samba auth problem after username change > > Hum... > All users are OK except the one(s) you changed there names. No other > modification in configuration, all others users are working well. Is > that true? This broken user is correctly shown using "getent passwd > <NEW username>"? Is that true? > > Can you use that user on system side, I would try, as root, "su - <NEW > username>". This last test is to verify all is well configured about > that user with new name. If it complains about missing home directory > or anything else, that could be the cause SSH refuse to let that user > connect on the system. > > > > 2016-09-06 11:36 GMT+02:00 Rowland Penny via samba > <samba at lists.samba.org<mailto:samba at lists.samba.org>>: On Tue, 6 Sep > 2016 09:15:09 +0000 Julian Zielke via samba > <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote: > > > Hi Mathias, > > > > thanks for your advice on how to use getent. However you’re > > mentioning SSSD which is working fine. I was referring to it because > > we changed to that method lately but the server having the problem > > is NOT using this new method but the old winbind+samba combination. > > > > Sorry it it was confusing. > > > > Cheers, > > Julian > > If you are using a fairly recent version of sssd, you are using a > version of a Samba winbind lib, so just changing to sssd shouldn't > give problems. > > First and foremost, all your users & groups are stored in AD as > windows users & groups i.e. they have a SID-RID So if you change a > login name, it shouldn't affect anything else, so when I asked how you > changed the login name, perhaps I should have asked, what did you > change ? > > Rowland >As you don't seem to want to answer my question, I will tell you what I think is going on. lets take a user called 'Test User' who is a member of a group called 'A Group', if you examine their object in AD, You will find something like this: user cn=Test User,CN=Users,DC=samdom,DC=example,DC=com samaccountname: test ........ memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com If you also examine the groups object: dn: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com ....... member: CN=Test User,CN=Users,DC=samdom,DC=example,DC=com If you now change 'Test Users' name to 'Someone Else', you will also change various other things: user cn=Someone Else,CN=Users,DC=samdom,DC=example,DC=com samaccountname: someone ........ memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com But I do not think you will change the 'member' line in the groups object, it will still refer to 'Test User', who doesn't exist any more. This means that 'Someone Else' isn't a member of 'A Group', even though the users object contains a 'memberOf' attribute that says they are. Is this what is going on in your AD ??? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.
Julian Zielke
2016-Sep-06 12:28 UTC
[Samba] Winbind / Samba auth problem after username change
OK, I've used Apache Directory studio to examine your hint but the User object has the new name and the group the user is in had the users proper DN string. So the change seems to be correct on the DCs part. -----Ursprüngliche Nachricht----- Von: Julian Zielke Gesendet: Dienstag, 6. September 2016 14:19 An: 'Rowland Penny' <rpenny at samba.org> Cc: samba at lists.samba.org Betreff: AW: [Samba] Winbind / Samba auth problem after username change Huh? I did answer you on your question what we have changed: -----Ursprüngliche Nachricht----- Von: Julian Zielke Gesendet: Dienstag, 6. September 2016 12:57 An: samba at lists.samba.org Betreff: AW: [Samba] Winbind / Samba auth problem after username change Well we've changed the logon name (SAMAccountName) and the Name and Surname of the user object. Or was there any other question I probably see by the amount of quotes? Cheers, Julian -----Ursprüngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny via samba Gesendet: Dienstag, 6. September 2016 13:55 An: samba at lists.samba.org Betreff: Re: [Samba] Winbind / Samba auth problem after username change On Tue, 6 Sep 2016 11:41:59 +0000 Julian Zielke via samba <samba at lists.samba.org> wrote:> OK I think I got some more information for you guys. I just did > “getent passwd <NEWusername>” and got: <OLD > username>:*:<ID>:<ID2>::/home/…/<OLD username>:/bin/bash. > > When I do “su - <NEW username>” I get a valid shell with notification > “No directory, logging in with HOME=/”. When I do the same with the > OLD username I get “No passwd entry for user '<OLD username>'”. > > It’s like the new name is the only valid one but still has a hardlink > to the old one… really weird… > > > Von: mathias dufresne [mailto:infractory at gmail.com] > Gesendet: Dienstag, 6. September 2016 13:30 > An: Rowland Penny <rpenny at samba.org> > Cc: samba <samba at lists.samba.org>; Julian Zielke > <jzielke at next-level-integration.com> Betreff: Re: [Samba] Winbind / > Samba auth problem after username change > > Hum... > All users are OK except the one(s) you changed there names. No other > modification in configuration, all others users are working well. Is > that true? This broken user is correctly shown using "getent passwd > <NEW username>"? Is that true? > > Can you use that user on system side, I would try, as root, "su - <NEW > username>". This last test is to verify all is well configured about > that user with new name. If it complains about missing home directory > or anything else, that could be the cause SSH refuse to let that user > connect on the system. > > > > 2016-09-06 11:36 GMT+02:00 Rowland Penny via samba > <samba at lists.samba.org<mailto:samba at lists.samba.org>>: On Tue, 6 Sep > 2016 09:15:09 +0000 Julian Zielke via samba > <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote: > > > Hi Mathias, > > > > thanks for your advice on how to use getent. However you’re > > mentioning SSSD which is working fine. I was referring to it because > > we changed to that method lately but the server having the problem > > is NOT using this new method but the old winbind+samba combination. > > > > Sorry it it was confusing. > > > > Cheers, > > Julian > > If you are using a fairly recent version of sssd, you are using a > version of a Samba winbind lib, so just changing to sssd shouldn't > give problems. > > First and foremost, all your users & groups are stored in AD as > windows users & groups i.e. they have a SID-RID So if you change a > login name, it shouldn't affect anything else, so when I asked how you > changed the login name, perhaps I should have asked, what did you > change ? > > Rowland >As you don't seem to want to answer my question, I will tell you what I think is going on. lets take a user called 'Test User' who is a member of a group called 'A Group', if you examine their object in AD, You will find something like this: user cn=Test User,CN=Users,DC=samdom,DC=example,DC=com samaccountname: test ........ memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com If you also examine the groups object: dn: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com ....... member: CN=Test User,CN=Users,DC=samdom,DC=example,DC=com If you now change 'Test Users' name to 'Someone Else', you will also change various other things: user cn=Someone Else,CN=Users,DC=samdom,DC=example,DC=com samaccountname: someone ........ memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com But I do not think you will change the 'member' line in the groups object, it will still refer to 'Test User', who doesn't exist any more. This means that 'Someone Else' isn't a member of 'A Group', even though the users object contains a 'memberOf' attribute that says they are. Is this what is going on in your AD ??? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.
mathias dufresne
2016-Sep-06 12:43 UTC
[Samba] Winbind / Samba auth problem after username change
I did tried to use ldapmodify to modify RDN (as CN is used for group membership and also used to forge DN) and this change was reflected into the group this belongs to. As ldapmodify is external tool, as it works well with that external tool, I would expect internal tools provided by Samba or MS are working well too. Anyway Julian you should check if the change is reflected into groups. You should also give us what is the LDAP attribute you changed. A user name is not a unique notion into AD, CN is user name, as are sAMAccountName or userPrincipalName, or also uid. 2016-09-06 13:55 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 6 Sep 2016 11:41:59 +0000 > Julian Zielke via samba <samba at lists.samba.org> wrote: > > > OK I think I got some more information for you guys. I just did > > “getent passwd <NEWusername>” and got: <OLD > > username>:*:<ID>:<ID2>::/home/…/<OLD username>:/bin/bash. > > > > When I do “su - <NEW username>” I get a valid shell with notification > > “No directory, logging in with HOME=/”. When I do the same with the > > OLD username I get “No passwd entry for user '<OLD username>'”. > > > > It’s like the new name is the only valid one but still has a hardlink > > to the old one… really weird… > > > > > > Von: mathias dufresne [mailto:infractory at gmail.com] > > Gesendet: Dienstag, 6. September 2016 13:30 > > An: Rowland Penny <rpenny at samba.org> > > Cc: samba <samba at lists.samba.org>; Julian Zielke > > <jzielke at next-level-integration.com> Betreff: Re: [Samba] Winbind / > > Samba auth problem after username change > > > > Hum... > > All users are OK except the one(s) you changed there names. No other > > modification in configuration, all others users are working well. Is > > that true? This broken user is correctly shown using "getent passwd > > <NEW username>"? Is that true? > > > > Can you use that user on system side, I would try, as root, "su - > > <NEW username>". This last test is to verify all is well configured > > about that user with new name. If it complains about missing home > > directory or anything else, that could be the cause SSH refuse to let > > that user connect on the system. > > > > > > > > 2016-09-06 11:36 GMT+02:00 Rowland Penny via samba > > <samba at lists.samba.org<mailto:samba at lists.samba.org>>: On Tue, 6 Sep > > 2016 09:15:09 +0000 Julian Zielke via samba > > <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote: > > > > > Hi Mathias, > > > > > > thanks for your advice on how to use getent. However you’re > > > mentioning SSSD which is working fine. I was referring to it because > > > we changed to that method lately but the server having the problem > > > is NOT using this new method but the old winbind+samba combination. > > > > > > Sorry it it was confusing. > > > > > > Cheers, > > > Julian > > > > If you are using a fairly recent version of sssd, you are using a > > version of a Samba winbind lib, so just changing to sssd shouldn't > > give problems. > > > > First and foremost, all your users & groups are stored in AD as > > windows users & groups i.e. they have a SID-RID > > So if you change a login name, it shouldn't affect anything else, so > > when I asked how you changed the login name, perhaps I should have > > asked, what did you change ? > > > > Rowland > > > > As you don't seem to want to answer my question, I will tell you what I > think is going on. > > lets take a user called 'Test User' who is a member of a group called > 'A Group', if you examine their object in AD, You will find something > like this: > > user cn=Test User,CN=Users,DC=samdom,DC=example,DC=com > samaccountname: test > ........ > memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com > > If you also examine the groups object: > > dn: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com > ....... > member: CN=Test User,CN=Users,DC=samdom,DC=example,DC=com > > If you now change 'Test Users' name to 'Someone Else', you will also change > various other things: > > user cn=Someone Else,CN=Users,DC=samdom,DC=example,DC=com > samaccountname: someone > ........ > memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com > > But I do not think you will change the 'member' line in the groups object, > it will still refer to 'Test User', who doesn't exist any more. > This means that 'Someone Else' isn't a member of 'A Group', even though > the users object contains a 'memberOf' attribute that says they are. > > Is this what is going on in your AD ??? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2016-Sep-06 12:45 UTC
[Samba] Winbind / Samba auth problem after username change
On Tue, 6 Sep 2016 12:20:13 +0000 Julian Zielke <jzielke at next-level-integration.com> wrote:> Huh? I did answer you on your question what we have changed: >Sorry about that, I have only just received that post (and they say email is instant ;-) Have you checked what I suggested ? Rowland
Julian Zielke
2016-Sep-06 13:00 UTC
[Samba] Winbind / Samba auth problem after username change
Hey Mathias, well we don't use ldapmodify. We use Windows machines for our domain administration and the build-in Windows Domain Administration tools which work fine with samba sernet DCs. All we do is change the fields "logon name, name and surname" in the gui. So when I say SAMMAccountName I'm referring to the logon name our windows machines are using too. Cheers, Julian> -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > mathias dufresne via samba > Gesendet: Dienstag, 6. September 2016 14:43 > An: Rowland Penny <rpenny at samba.org> > Cc: samba <samba at lists.samba.org> > Betreff: Re: [Samba] Winbind / Samba auth problem after username change > > I did tried to use ldapmodify to modify RDN (as CN is used for group > membership and also used to forge DN) and this change was reflected into > the group this belongs to. > > As ldapmodify is external tool, as it works well with that external tool, I would > expect internal tools provided by Samba or MS are working well too. > > Anyway Julian you should check if the change is reflected into groups. > You should also give us what is the LDAP attribute you changed. A user name > is not a unique notion into AD, CN is user name, as are sAMAccountName or > userPrincipalName, or also uid. > > 2016-09-06 13:55 GMT+02:00 Rowland Penny via samba > <samba at lists.samba.org>: > > > On Tue, 6 Sep 2016 11:41:59 +0000 > > Julian Zielke via samba <samba at lists.samba.org> wrote: > > > > > OK I think I got some more information for you guys. I just did > > > “getent passwd <NEWusername>” and got: <OLD > > > username>:*:<ID>:<ID2>::/home/…/<OLD username>:/bin/bash. > > > > > > When I do “su - <NEW username>” I get a valid shell with > > > notification “No directory, logging in with HOME=/”. When I do the > > > same with the OLD username I get “No passwd entry for user '<OLD > username>'”. > > > > > > It’s like the new name is the only valid one but still has a > > > hardlink to the old one… really weird… > > > > > > > > > Von: mathias dufresne [mailto:infractory at gmail.com] > > > Gesendet: Dienstag, 6. September 2016 13:30 > > > An: Rowland Penny <rpenny at samba.org> > > > Cc: samba <samba at lists.samba.org>; Julian Zielke > > > <jzielke at next-level-integration.com> Betreff: Re: [Samba] Winbind / > > > Samba auth problem after username change > > > > > > Hum... > > > All users are OK except the one(s) you changed there names. No other > > > modification in configuration, all others users are working well. Is > > > that true? This broken user is correctly shown using "getent passwd > > > <NEW username>"? Is that true? > > > > > > Can you use that user on system side, I would try, as root, "su - > > > <NEW username>". This last test is to verify all is well configured > > > about that user with new name. If it complains about missing home > > > directory or anything else, that could be the cause SSH refuse to > > > let that user connect on the system. > > > > > > > > > > > > 2016-09-06 11:36 GMT+02:00 Rowland Penny via samba > > > <samba at lists.samba.org<mailto:samba at lists.samba.org>>: On Tue, 6 > Sep > > > 2016 09:15:09 +0000 Julian Zielke via samba > > > <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote: > > > > > > > Hi Mathias, > > > > > > > > thanks for your advice on how to use getent. However you’re > > > > mentioning SSSD which is working fine. I was referring to it > > > > because we changed to that method lately but the server having the > > > > problem is NOT using this new method but the old winbind+samba > combination. > > > > > > > > Sorry it it was confusing. > > > > > > > > Cheers, > > > > Julian > > > > > > If you are using a fairly recent version of sssd, you are using a > > > version of a Samba winbind lib, so just changing to sssd shouldn't > > > give problems. > > > > > > First and foremost, all your users & groups are stored in AD as > > > windows users & groups i.e. they have a SID-RID So if you change a > > > login name, it shouldn't affect anything else, so when I asked how > > > you changed the login name, perhaps I should have asked, what did > > > you change ? > > > > > > Rowland > > > > > > > As you don't seem to want to answer my question, I will tell you what > > I think is going on. > > > > lets take a user called 'Test User' who is a member of a group called > > 'A Group', if you examine their object in AD, You will find something > > like this: > > > > user cn=Test User,CN=Users,DC=samdom,DC=example,DC=com > > samaccountname: test > > ........ > > memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com > > > > If you also examine the groups object: > > > > dn: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com > > ....... > > member: CN=Test User,CN=Users,DC=samdom,DC=example,DC=com > > > > If you now change 'Test Users' name to 'Someone Else', you will also > > change various other things: > > > > user cn=Someone Else,CN=Users,DC=samdom,DC=example,DC=com > > samaccountname: someone > > ........ > > memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com > > > > But I do not think you will change the 'member' line in the groups > > object, it will still refer to 'Test User', who doesn't exist any more. > > This means that 'Someone Else' isn't a member of 'A Group', even > > though the users object contains a 'memberOf' attribute that says they are. > > > > Is this what is going on in your AD ??? > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaWichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.
Julian Zielke
2016-Sep-06 13:05 UTC
[Samba] Winbind / Samba auth problem after username change
Yes, the change is reflected into groups. The user's DN has all the new information we entered. The group has a memberOf string with the same correct information. A net cache flush on our DCs didn't help either. Since on another server using the same DCs and authentication mechanisms has no problems with the new name it's seems to be a server-related issue and not a DC one. - Julian> -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > mathias dufresne via samba > Gesendet: Dienstag, 6. September 2016 14:43 > An: Rowland Penny <rpenny at samba.org> > Cc: samba <samba at lists.samba.org> > Betreff: Re: [Samba] Winbind / Samba auth problem after username change > > I did tried to use ldapmodify to modify RDN (as CN is used for group > membership and also used to forge DN) and this change was reflected into > the group this belongs to. > > As ldapmodify is external tool, as it works well with that external tool, I would > expect internal tools provided by Samba or MS are working well too. > > Anyway Julian you should check if the change is reflected into groups. > You should also give us what is the LDAP attribute you changed. A user name > is not a unique notion into AD, CN is user name, as are sAMAccountName or > userPrincipalName, or also uid. > > 2016-09-06 13:55 GMT+02:00 Rowland Penny via samba > <samba at lists.samba.org>: > > > On Tue, 6 Sep 2016 11:41:59 +0000 > > Julian Zielke via samba <samba at lists.samba.org> wrote: > > > > > OK I think I got some more information for you guys. I just did > > > “getent passwd <NEWusername>” and got: <OLD > > > username>:*:<ID>:<ID2>::/home/…/<OLD username>:/bin/bash. > > > > > > When I do “su - <NEW username>” I get a valid shell with > > > notification “No directory, logging in with HOME=/”. When I do the > > > same with the OLD username I get “No passwd entry for user '<OLD > username>'”. > > > > > > It’s like the new name is the only valid one but still has a > > > hardlink to the old one… really weird… > > > > > > > > > Von: mathias dufresne [mailto:infractory at gmail.com] > > > Gesendet: Dienstag, 6. September 2016 13:30 > > > An: Rowland Penny <rpenny at samba.org> > > > Cc: samba <samba at lists.samba.org>; Julian Zielke > > > <jzielke at next-level-integration.com> Betreff: Re: [Samba] Winbind / > > > Samba auth problem after username change > > > > > > Hum... > > > All users are OK except the one(s) you changed there names. No other > > > modification in configuration, all others users are working well. Is > > > that true? This broken user is correctly shown using "getent passwd > > > <NEW username>"? Is that true? > > > > > > Can you use that user on system side, I would try, as root, "su - > > > <NEW username>". This last test is to verify all is well configured > > > about that user with new name. If it complains about missing home > > > directory or anything else, that could be the cause SSH refuse to > > > let that user connect on the system. > > > > > > > > > > > > 2016-09-06 11:36 GMT+02:00 Rowland Penny via samba > > > <samba at lists.samba.org<mailto:samba at lists.samba.org>>: On Tue, 6 > Sep > > > 2016 09:15:09 +0000 Julian Zielke via samba > > > <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote: > > > > > > > Hi Mathias, > > > > > > > > thanks for your advice on how to use getent. However you’re > > > > mentioning SSSD which is working fine. I was referring to it > > > > because we changed to that method lately but the server having the > > > > problem is NOT using this new method but the old winbind+samba > combination. > > > > > > > > Sorry it it was confusing. > > > > > > > > Cheers, > > > > Julian > > > > > > If you are using a fairly recent version of sssd, you are using a > > > version of a Samba winbind lib, so just changing to sssd shouldn't > > > give problems. > > > > > > First and foremost, all your users & groups are stored in AD as > > > windows users & groups i.e. they have a SID-RID So if you change a > > > login name, it shouldn't affect anything else, so when I asked how > > > you changed the login name, perhaps I should have asked, what did > > > you change ? > > > > > > Rowland > > > > > > > As you don't seem to want to answer my question, I will tell you what > > I think is going on. > > > > lets take a user called 'Test User' who is a member of a group called > > 'A Group', if you examine their object in AD, You will find something > > like this: > > > > user cn=Test User,CN=Users,DC=samdom,DC=example,DC=com > > samaccountname: test > > ........ > > memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com > > > > If you also examine the groups object: > > > > dn: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com > > ....... > > member: CN=Test User,CN=Users,DC=samdom,DC=example,DC=com > > > > If you now change 'Test Users' name to 'Someone Else', you will also > > change various other things: > > > > user cn=Someone Else,CN=Users,DC=samdom,DC=example,DC=com > > samaccountname: someone > > ........ > > memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com > > > > But I do not think you will change the 'member' line in the groups > > object, it will still refer to 'Test User', who doesn't exist any more. > > This means that 'Someone Else' isn't a member of 'A Group', even > > though the users object contains a 'memberOf' attribute that says they are. > > > > Is this what is going on in your AD ??? > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaWichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.