Julian Zielke
2016-Sep-07 09:12 UTC
[Samba] Winbind / Samba auth problem after username change
Good Morning Rowland,
oh well, the bad side of the Internet... well the samba stuff was implemented by
a former co-worker so I've to get into everything he did.
Here’s the information you’ve requested, additionally with my config files I
know changed based on the samba wiki:
smb.conf:
cat /etc/samba/smb.conf
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.local
netbios name = vmu09tcse01
server string = Samba AD Client Version %v
security = ads
password server = DC03, DC04, DC01, DC02, *
server role = standalone server
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind nss info = template
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
template homedir = /home/MYDOMAIN.LOCAL/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
# Default idmap config used for BUILTIN and local windows accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain MYDOMAIN
idmap config MYDOMAIN:backend = rid
idmap config MYDOMAIN:range = 10000-99999
nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
group: compat winbind
Sanitized version of user object:
user (strukturell)
organizationalPerson (strukturell)
person (strukturell)
top (abstrakt)
ren_test4
4
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
14.09.30828 04:48:05 MESZ (9223372036854775807)
0
0
User Rename Test
ren_test4
CN=ren_test4,OU=agroup,OU=team1,OU=user,OU=integration,DC=domain,DC=local
ren_test4
CN=g_blau_alle,OU=agroup,OU=team1,OU=user,OU=department,DC=domain,DC=local
ren_test4
{78ccfb30-fd1e-43bb-be3f-3a784e296d63}
S-1-5-21-291884467-1407662076-1109738395-2521
513
05.09.2016 16:28:18 MESZ (131175592980000000)
ren_test4
805306368
66048
ren_test4 at domain.local
67386
67033
06.09.2016 15:48:37 MESZ (20160906134837.0Z)
05.09.2016 16:28:16 MESZ (20160905142816.0Z)
BTW: when I do
# getent passwd | grep ren_test4
I get:
ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/bash
but when I do: getent passwd ren_test4
ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/bash
WTF??
Cheers,
Julian
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
> Rowland Penny via samba
> Gesendet: Dienstag, 6. September 2016 18:34
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Winbind / Samba auth problem after username change
>
> On Tue, 6 Sep 2016 16:13:47 +0000
> Julian Zielke <jzielke at next-level-integration.com<mailto:jzielke
at next-level-integration.com>> wrote:
>
> > BTW I noticed that most configs use the wildcard parameter. So the
> > smb.conf now uses:
> >
> > idmap config * : backend = rid
> > idmap config * : range = 16777216-33554431
> >
> > But still no change... I really wonder where this old username is
> > coming from...
> >
>
> No, the '*' range is meant for BUILTIN and local windows users,
Please
> only refer to the Samba wiki for info, there is some terrible dross out
> there on the internet.
>
> Can you please post a sanitized version of the users object in AD,
> perhaps this will highlight something.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich
für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene
Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie
bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder
Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in
diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie
außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet
unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der
Kenntnisnahme und Manipulation besteht
Important Note: The information contained in this e-mail is confidential. It is
intended solely for the addressee. Access to this e-mail by anyone else is
unauthorized. If you are not the intended recipient, any form of disclosure,
reproduction, distribution or any action taken or refrained from in reliance on
it, is prohibited and may be unlawful. Please notify the sender immediately. We
also would like to inform you that communication via e-mail over the internet is
insecure because third parties may have the possibility to access and manipulate
e-mails.
mathias dufresne
2016-Sep-07 09:54 UTC
[Samba] Winbind / Samba auth problem after username change
Could you please post the full output of the following command: ldbsearch -H /var/lib/samba/private/sam.ldb cn=ren_test* Replacing /var/lib/samba/private/sam.ldb by the real path to sam.ldb 2016-09-07 11:12 GMT+02:00 Julian Zielke via samba <samba at lists.samba.org>:> Good Morning Rowland, > > > > > > oh well, the bad side of the Internet... well the samba stuff was > implemented by a former co-worker so I've to get into everything he did. > > Here’s the information you’ve requested, additionally with my config files > I know changed based on the samba wiki: > > > > smb.conf: > > cat /etc/samba/smb.conf > > [global] > > workgroup = MYDOMAIN > > realm = MYDOMAIN.local > > netbios name = vmu09tcse01 > > server string = Samba AD Client Version %v > > security = ads > > password server = DC03, DC04, DC01, DC02, * > > server role = standalone server > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > winbind nss info = template > > winbind enum users = yes > > winbind enum groups = yes > > winbind cache time = 10 > > winbind use default domain = yes > > template homedir = /home/MYDOMAIN.LOCAL/%U > > template shell = /bin/bash > > client use spnego = yes > > client ntlmv2 auth = yes > > encrypt passwords = yes > > restrict anonymous = 2 > > domain master = no > > local master = no > > preferred master = no > > os level = 0 > > > > # Default idmap config used for BUILTIN and local windows accounts/groups > > idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > > > # idmap config for domain MYDOMAIN > > idmap config MYDOMAIN:backend = rid > > idmap config MYDOMAIN:range = 10000-99999 > > > > nsswitch.conf: > > # /etc/nsswitch.conf > > # > > # Example configuration of GNU Name Service Switch functionality. > > # If you have the `glibc-doc-reference' and `info' packages installed, try: > > # `info libc "Name Service Switch"' for information about this file. > > > > passwd: compat winbind > > group: compat winbind > > shadow: compat > > > > hosts: files dns mdns4 > > networks: files > > > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > > > group: compat winbind > > > > Sanitized version of user object: > > user (strukturell) > > organizationalPerson (strukturell) > > person (strukturell) > > top (abstrakt) > > ren_test4 > > 4 > > CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local > > 14.09.30828 04:48:05 MESZ (9223372036854775807) > > 0 > > 0 > > User Rename Test > > ren_test4 > > CN=ren_test4,OU=agroup,OU=team1,OU=user,OU=integration,DC=domain,DC=local > > ren_test4 > > CN=g_blau_alle,OU=agroup,OU=team1,OU=user,OU=department,DC=domain,DC=local > > ren_test4 > > {78ccfb30-fd1e-43bb-be3f-3a784e296d63} > > S-1-5-21-291884467-1407662076-1109738395-2521 > > 513 > > 05.09.2016 16:28:18 MESZ (131175592980000000) > > ren_test4 > > 805306368 > > 66048 > > ren_test4 at domain.local > > 67386 > > 67033 > > 06.09.2016 15:48:37 MESZ (20160906134837.0Z) > > 05.09.2016 16:28:16 MESZ (20160905142816.0Z) > > > > BTW: when I do > > # getent passwd | grep ren_test4 > > > > I get: > > ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/bash > > > > but when I do: getent passwd ren_test4 > > ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/bash > > > > WTF?? > > > Cheers, > > Julian > > > > > -----Ursprüngliche Nachricht----- > > > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > > > Rowland Penny via samba > > > Gesendet: Dienstag, 6. September 2016 18:34 > > > An: samba at lists.samba.org > > > Betreff: Re: [Samba] Winbind / Samba auth problem after username change > > > > > > On Tue, 6 Sep 2016 16:13:47 +0000 > > > Julian Zielke <jzielke at next-level-integration.com<mailto:jzielke > @next-level-integration.com>> wrote: > > > > > > > BTW I noticed that most configs use the wildcard parameter. So the > > > > smb.conf now uses: > > > > > > > > idmap config * : backend = rid > > > > idmap config * : range = 16777216-33554431 > > > > > > > > But still no change... I really wonder where this old username is > > > > coming from... > > > > > > > > > > No, the '*' range is meant for BUILTIN and local windows users, Please > > > only refer to the Samba wiki for info, there is some terrible dross out > > > there on the internet. > > > > > > Can you please post a sanitized version of the users object in AD, > > > perhaps this will highlight something. > > > > > > Rowland > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der > vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so > beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in > Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die > Kommunikation per E-Mail über das Internet unsicher ist, da für > unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und > Manipulation besteht > > Important Note: The information contained in this e-mail is confidential. > It is intended solely for the addressee. Access to this e-mail by anyone > else is unauthorized. If you are not the intended recipient, any form of > disclosure, reproduction, distribution or any action taken or refrained > from in reliance on it, is prohibited and may be unlawful. Please notify > the sender immediately. We also would like to inform you that communication > via e-mail over the internet is insecure because third parties may have the > possibility to access and manipulate e-mails. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2016-Sep-07 10:05 UTC
[Samba] Winbind / Samba auth problem after username change
See inline comments. On Wed, 7 Sep 2016 09:12:35 +0000 Julian Zielke <jzielke at next-level-integration.com> wrote:> > > > smb.conf: >Can you try this smb.conf: [global] workgroup = MYDOMAIN realm = MYDOMAIN.local netbios name = vmu09tcse01 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba AD Client Version %v security = ads winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind refresh tickets = Yes template shell = /bin/bash domain master = no local master = no preferred master = no # Default idmap config used for BUILTIN and local windows accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain MYDOMAIN idmap config MYDOMAIN:backend = rid idmap config MYDOMAIN:range = 10000-99999 # For ACL support on domain member vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes If your dns domain really does end in '.local', then I suggest you turn off AVAHI if it is running.> > > nsswitch.conf: > > # /etc/nsswitch.conf >You have this line twice: group: compat winbind> > > Sanitized version of user object: >Sorry, I cannot really understand this, I expected you to run something like this on the DC: ldbsearch -H /usr/local/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(samAccountType=805306368)(samaccountname=rowland))' Which would have returned something like this # record 1 dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com cn: Rowland Penny sn: Penny givenName: Rowland instanceType: 4 whenCreated: 20151109093821.0Z displayName: Rowland Penny uSNCreated: 3871 name: Rowland Penny objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 logonCount: 0 sAMAccountName: rowland sAMAccountType: 805306368 userPrincipalName: rowland at samdom.example.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c om pwdLastSet: 130915355010000000 unixUserPassword: ABCD!efgh12345$67890 uid: rowland msSFU30Name: rowland msSFU30NisDomain: samdom uidNumber: 10000 unixHomeDirectory: /home/rowland loginShell: /bin/bash userAccountControl: 66048 accountExpires: 0 gidNumber: 10000 gecos: Rowland Penny memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com homeDrive: H: homeDirectory: \\DC2\home\rowland objectClass: top objectClass: posixAccount objectClass: securityPrincipal objectClass: person objectClass: systemQuotas objectClass: organizationalPerson objectClass: user description: A Unix user lastLogonTimestamp: 131172747410094140 whenChanged: 20160902072541.0Z uSNChanged: 294249 lastLogon: 131177043474577810 distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com You could then have changed anything in that you don't want the list to see.> > BTW: when I do > > # getent passwd | grep ren_test4 > > > > I get: > > ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/bash > > > > but when I do: getent passwd ren_test4 > > ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/bash >Now that is interesting, what does 'getent passwd | grep ren_test' return ? Rowland
Julian Zielke
2016-Sep-07 11:10 UTC
[Samba] Winbind / Samba auth problem after username change
sure:
ldbsearch -H /var/lib/samba/private/sam.ldb cn=ren_test*
# returned 0 records
# 0 entries
# 0 referrals
Von: mathias dufresne [mailto:infractory at gmail.com]
Gesendet: Mittwoch, 7. September 2016 11:55
An: Julian Zielke <jzielke at next-level-integration.com>
Cc: Rowland Penny <rpenny at samba.org>; samba at lists.samba.org
Betreff: Re: [Samba] Winbind / Samba auth problem after username change
Could you please post the full output of the following command:
ldbsearch -H /var/lib/samba/private/sam.ldb cn=ren_test*
Replacing /var/lib/samba/private/sam.ldb by the real path to sam.ldb
2016-09-07 11:12 GMT+02:00 Julian Zielke via samba <samba at
lists.samba.org<mailto:samba at lists.samba.org>>:
Good Morning Rowland,
oh well, the bad side of the Internet... well the samba stuff was implemented by
a former co-worker so I've to get into everything he did.
Here’s the information you’ve requested, additionally with my config files I
know changed based on the samba wiki:
smb.conf:
cat /etc/samba/smb.conf
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.local
netbios name = vmu09tcse01
server string = Samba AD Client Version %v
security = ads
password server = DC03, DC04, DC01, DC02, *
server role = standalone server
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind nss info = template
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
template homedir = /home/MYDOMAIN.LOCAL/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
# Default idmap config used for BUILTIN and local windows accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain MYDOMAIN
idmap config MYDOMAIN:backend = rid
idmap config MYDOMAIN:range = 10000-99999
nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
group: compat winbind
Sanitized version of user object:
user (strukturell)
organizationalPerson (strukturell)
person (strukturell)
top (abstrakt)
ren_test4
4
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
14.09.30828 04<tel:14.09.30828%2004>:48:05 MESZ (9223372036854775807)
0
0
User Rename Test
ren_test4
CN=ren_test4,OU=agroup,OU=team1,OU=user,OU=integration,DC=domain,DC=local
ren_test4
CN=g_blau_alle,OU=agroup,OU=team1,OU=user,OU=department,DC=domain,DC=local
ren_test4
{78ccfb30-fd1e-43bb-be3f-3a784e296d63}
S-1-5-21-291884467-1407662076-1109738395-2521
513
05.09.2016 16:28:18 MESZ (131175592980000000)
ren_test4
805306368
66048
ren_test4 at domain.local<mailto:ren_test4 at domain.local>
67386
67033
06.09.2016 15:48:37 MESZ (20160906134837.0Z)
05.09.2016 16:28:16 MESZ (20160905142816.0Z)
BTW: when I do
# getent passwd | grep ren_test4
I get:
ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/bash
but when I do: getent passwd ren_test4
ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/bash
WTF??
Cheers,
Julian
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org<mailto:samba-bounces
at lists.samba.org>] Im Auftrag von
> Rowland Penny via samba
> Gesendet: Dienstag, 6. September 2016 18:34
> An: samba at lists.samba.org<mailto:samba at lists.samba.org>
> Betreff: Re: [Samba] Winbind / Samba auth problem after username change
>
> On Tue, 6 Sep 2016 16:13:47 +0000
> Julian Zielke <jzielke at next-level-integration.com<mailto:jzielke
at next-level-integration.com><mailto:jzielke at
next-level-integration.com<mailto:jzielke at
next-level-integration.com>>> wrote:
>
> > BTW I noticed that most configs use the wildcard parameter. So the
> > smb.conf now uses:
> >
> > idmap config * : backend = rid
> > idmap config * : range = 16777216-33554431
> >
> > But still no change... I really wonder where this old username is
> > coming from...
> >
>
> No, the '*' range is meant for BUILTIN and local windows users,
Please
> only refer to the Samba wiki for info, there is some terrible dross out
> there on the internet.
>
> Can you please post a sanitized version of the users object in AD,
> perhaps this will highlight something.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich
für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene
Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie
bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder
Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in
diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie
außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet
unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der
Kenntnisnahme und Manipulation besteht
Important Note: The information contained in this e-mail is confidential. It is
intended solely for the addressee. Access to this e-mail by anyone else is
unauthorized. If you are not the intended recipient, any form of disclosure,
reproduction, distribution or any action taken or refrained from in reliance on
it, is prohibited and may be unlawful. Please notify the sender immediately. We
also would like to inform you that communication via e-mail over the internet is
insecure because third parties may have the possibility to access and manipulate
e-mails.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich
für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene
Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie
bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder
Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in
diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie
außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet
unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der
Kenntnisnahme und Manipulation besteht
Important Note: The information contained in this e-mail is confidential. It is
intended solely for the addressee. Access to this e-mail by anyone else is
unauthorized. If you are not the intended recipient, any form of disclosure,
reproduction, distribution or any action taken or refrained from in reliance on
it, is prohibited and may be unlawful. Please notify the sender immediately. We
also would like to inform you that communication via e-mail over the internet is
insecure because third parties may have the possibility to access and manipulate
e-mails.
Julian Zielke
2016-Sep-07 11:20 UTC
[Samba] Winbind / Samba auth problem after username change
- It really ends in local. So I guess I can leave this one. - I've corrected the double entry in nsswitch.conf The command returns: # getent passwd | grep ren_test ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash What I copied into the message before was our object directly from the DC. I thought you said "ldapsearch", not ldbsearch ;-) Well here's the ldbsearch result (hopefully I did it the right way): # ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local' -s sub '(&(samAccountType=805306368)(samaccountname=ren_test))' # returned 0 records # 0 entries # 0 referrals Even when I do it without any subcommand it returns 0 records: ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local' # returned 0 records # 0 entries # 0 referrals Dunno whether this now points to an error in my configuration or not. Cheers, Julian> -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > Rowland Penny via samba > Gesendet: Mittwoch, 7. September 2016 12:05 > An: samba at lists.samba.org > Betreff: Re: [Samba] Winbind / Samba auth problem after username change > > > See inline comments. > > On Wed, 7 Sep 2016 09:12:35 +0000 > Julian Zielke <jzielke at next-level-integration.com> wrote: > > > > > > > > > smb.conf: > > > > Can you try this smb.conf: > > [global] > workgroup = MYDOMAIN > realm = MYDOMAIN.local > netbios name = vmu09tcse01 > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba AD Client Version %v > security = ads > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind refresh tickets = Yes > template shell = /bin/bash > domain master = no > local master = no > preferred master = no > > # Default idmap config used for BUILTIN and local windows > accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain MYDOMAIN > idmap config MYDOMAIN:backend = rid > idmap config MYDOMAIN:range = 10000-99999 > > # For ACL support on domain member > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > If your dns domain really does end in '.local', then I suggest you turn > off AVAHI if it is running. > > > > > > > nsswitch.conf: > > > > # /etc/nsswitch.conf > > > > You have this line twice: > > group: compat winbind > > > > > > > > Sanitized version of user object: > > > > Sorry, I cannot really understand this, I expected you to run something like > this on the DC: > > ldbsearch -H /usr/local/samba/private/sam.ldb -b > 'dc=samdom,dc=example,dc=com' -s sub > '(&(samAccountType=805306368)(samaccountname=rowland))' > > Which would have returned something like this > > # record 1 > dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > cn: Rowland Penny > sn: Penny > givenName: Rowland > instanceType: 4 > whenCreated: 20151109093821.0Z > displayName: Rowland Penny > uSNCreated: 3871 > name: Rowland Penny > objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 > logonCount: 0 > sAMAccountName: rowland > sAMAccountType: 805306368 > userPrincipalName: rowland at samdom.example.com > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c > om > pwdLastSet: 130915355010000000 > unixUserPassword: ABCD!efgh12345$67890 > uid: rowland > msSFU30Name: rowland > msSFU30NisDomain: samdom > uidNumber: 10000 > unixHomeDirectory: /home/rowland > loginShell: /bin/bash > userAccountControl: 66048 > accountExpires: 0 > gidNumber: 10000 > gecos: Rowland Penny > memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com > homeDrive: H: > homeDirectory: \\DC2\home\rowland > objectClass: top > objectClass: posixAccount > objectClass: securityPrincipal > objectClass: person > objectClass: systemQuotas > objectClass: organizationalPerson > objectClass: user > description: A Unix user > lastLogonTimestamp: 131172747410094140 > whenChanged: 20160902072541.0Z > uSNChanged: 294249 > lastLogon: 131177043474577810 > distinguishedName: CN=Rowland > Penny,CN=Users,DC=samdom,DC=example,DC=com > > You could then have changed anything in that you don't want the list to > see. > > > > > BTW: when I do > > > > # getent passwd | grep ren_test4 > > > > > > > > I get: > > > > > ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/ > bash > > > > > > > > but when I do: getent passwd ren_test4 > > > > > ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/ > bash > > > > Now that is interesting, what does 'getent passwd | grep ren_test' > return ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaWichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.