Julian Zielke
2016-Sep-07 11:20 UTC
[Samba] Winbind / Samba auth problem after username change
- It really ends in local. So I guess I can leave this one. - I've corrected the double entry in nsswitch.conf The command returns: # getent passwd | grep ren_test ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash What I copied into the message before was our object directly from the DC. I thought you said "ldapsearch", not ldbsearch ;-) Well here's the ldbsearch result (hopefully I did it the right way): # ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local' -s sub '(&(samAccountType=805306368)(samaccountname=ren_test))' # returned 0 records # 0 entries # 0 referrals Even when I do it without any subcommand it returns 0 records: ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local' # returned 0 records # 0 entries # 0 referrals Dunno whether this now points to an error in my configuration or not. Cheers, Julian> -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > Rowland Penny via samba > Gesendet: Mittwoch, 7. September 2016 12:05 > An: samba at lists.samba.org > Betreff: Re: [Samba] Winbind / Samba auth problem after username change > > > See inline comments. > > On Wed, 7 Sep 2016 09:12:35 +0000 > Julian Zielke <jzielke at next-level-integration.com> wrote: > > > > > > > > > smb.conf: > > > > Can you try this smb.conf: > > [global] > workgroup = MYDOMAIN > realm = MYDOMAIN.local > netbios name = vmu09tcse01 > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba AD Client Version %v > security = ads > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind refresh tickets = Yes > template shell = /bin/bash > domain master = no > local master = no > preferred master = no > > # Default idmap config used for BUILTIN and local windows > accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain MYDOMAIN > idmap config MYDOMAIN:backend = rid > idmap config MYDOMAIN:range = 10000-99999 > > # For ACL support on domain member > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > If your dns domain really does end in '.local', then I suggest you turn > off AVAHI if it is running. > > > > > > > nsswitch.conf: > > > > # /etc/nsswitch.conf > > > > You have this line twice: > > group: compat winbind > > > > > > > > Sanitized version of user object: > > > > Sorry, I cannot really understand this, I expected you to run something like > this on the DC: > > ldbsearch -H /usr/local/samba/private/sam.ldb -b > 'dc=samdom,dc=example,dc=com' -s sub > '(&(samAccountType=805306368)(samaccountname=rowland))' > > Which would have returned something like this > > # record 1 > dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > cn: Rowland Penny > sn: Penny > givenName: Rowland > instanceType: 4 > whenCreated: 20151109093821.0Z > displayName: Rowland Penny > uSNCreated: 3871 > name: Rowland Penny > objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107 > logonCount: 0 > sAMAccountName: rowland > sAMAccountType: 805306368 > userPrincipalName: rowland at samdom.example.com > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c > om > pwdLastSet: 130915355010000000 > unixUserPassword: ABCD!efgh12345$67890 > uid: rowland > msSFU30Name: rowland > msSFU30NisDomain: samdom > uidNumber: 10000 > unixHomeDirectory: /home/rowland > loginShell: /bin/bash > userAccountControl: 66048 > accountExpires: 0 > gidNumber: 10000 > gecos: Rowland Penny > memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com > homeDrive: H: > homeDirectory: \\DC2\home\rowland > objectClass: top > objectClass: posixAccount > objectClass: securityPrincipal > objectClass: person > objectClass: systemQuotas > objectClass: organizationalPerson > objectClass: user > description: A Unix user > lastLogonTimestamp: 131172747410094140 > whenChanged: 20160902072541.0Z > uSNChanged: 294249 > lastLogon: 131177043474577810 > distinguishedName: CN=Rowland > Penny,CN=Users,DC=samdom,DC=example,DC=com > > You could then have changed anything in that you don't want the list to > see. > > > > > BTW: when I do > > > > # getent passwd | grep ren_test4 > > > > > > > > I get: > > > > > ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/ > bash > > > > > > > > but when I do: getent passwd ren_test4 > > > > > ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/ > bash > > > > Now that is interesting, what does 'getent passwd | grep ren_test' > return ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaWichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.
Rowland Penny
2016-Sep-07 11:47 UTC
[Samba] Winbind / Samba auth problem after username change
On Wed, 7 Sep 2016 11:20:54 +0000 Julian Zielke <jzielke at next-level-integration.com> wrote: See inline comments:> - It really ends in local. So I guess I can leave this one.If AVAHI is running on any Unix machines, it can get in the way, so as I said, you would be advised to turn it off.> - I've corrected the double entry in nsswitch.conf > > The command returns: > # getent passwd | grep ren_test > ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash > > What I copied into the message before was our object directly from > the DC. I thought you said "ldapsearch", not ldbsearch ;-) > > Well here's the ldbsearch result (hopefully I did it the right way): > # ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local' -s > sub '(&(samAccountType=805306368)(samaccountname=ren_test))' # > returned 0 records # 0 entries > # 0 referrals > > Even when I do it without any subcommand it returns 0 records: > ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local' > # returned 0 records > # 0 entries > # 0 referrals > > Dunno whether this now points to an error in my configuration or not. >Possibly not, '/var/lib/samba/private/sam.ldb' is the path to 'sam.ldb' if you compile Samba yourself. It may (and probably will be) in a different place if you are using OS packages i.e. /var/lib/samba/private/sam.ldb on debian You should also replace 'rowland' with the full user logon name. Rowland
Julian Zielke
2016-Sep-07 12:05 UTC
[Samba] Winbind / Samba auth problem after username change
AVAHI is not running on our machines. We're using Samba from the official sernet repository. I did a find-command on all sam.ldb files and this is the only one which exists. Also when I delete them and restart the samba service, it's being created again, so I guess it's the correct file the daemon is working with. I've used the ldbsearch with the full logon name, however even when doing the command Mathias suggested no results are shown at all. - Julian> -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > Rowland Penny via samba > Gesendet: Mittwoch, 7. September 2016 13:48 > An: samba at lists.samba.org > Betreff: Re: [Samba] Winbind / Samba auth problem after username change > > On Wed, 7 Sep 2016 11:20:54 +0000 > Julian Zielke <jzielke at next-level-integration.com> wrote: > > See inline comments: > > > - It really ends in local. So I guess I can leave this one. > > If AVAHI is running on any Unix machines, it can get in the way, so as > I said, you would be advised to turn it off. > > > - I've corrected the double entry in nsswitch.conf > > > > The command returns: > > # getent passwd | grep ren_test > > ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash > > > > What I copied into the message before was our object directly from > > the DC. I thought you said "ldapsearch", not ldbsearch ;-) > > > > Well here's the ldbsearch result (hopefully I did it the right way): > > # ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local' -s > > sub '(&(samAccountType=805306368)(samaccountname=ren_test))' # > > returned 0 records # 0 entries > > # 0 referrals > > > > Even when I do it without any subcommand it returns 0 records: > > ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local' > > # returned 0 records > > # 0 entries > > # 0 referrals > > > > Dunno whether this now points to an error in my configuration or not. > > > > Possibly not, '/var/lib/samba/private/sam.ldb' is the path to 'sam.ldb' > if you compile Samba yourself. It may (and probably will be) in a > different place if you are using OS packages > i.e. /var/lib/samba/private/sam.ldb on debian > > You should also replace 'rowland' with the full user logon name. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaWichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.