L.P.H. van Belle
2016-Sep-07 14:02 UTC
[Samba] Winbind / Samba auth problem after username change
I would suggest. Stop samba and winbind Backup /etc/krb5.keytab /var/lib/samba /var/cache/samba Remove everything in : /var/lib/samba /var/cache/samba And remove : /etc/krb5.keytab Put in this config ( from Rowlands suggestion. ) Can you try this smb.conf: [global] workgroup = MYDOMAIN realm = MYDOMAIN.local netbios name = vmu09tcse01 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba AD Client Version %v security = ads winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind refresh tickets = Yes template shell = /bin/bash domain master = no local master = no preferred master = no # Default idmap config used for BUILTIN and local windows accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain MYDOMAIN idmap config MYDOMAIN:backend = rid idmap config MYDOMAIN:range = 10000-99999 # For ACL support on domain member vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes Join the domain again. Test again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Julian Zielke via > samba > Verzonden: woensdag 7 september 2016 15:52 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Winbind / Samba auth problem after username change > > BTW I just tried the getent command again and it gets even weirder: > > > > # getent passwd ren_test4 > > ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash > > > > then did another getent after a couple of seconds: > > > > # getent passwd ren_test4 > > ren_test3:*:12521:10513:ren_test3:/home/NLI.LOCAL/ren_test3:/bin/bash > > > > This is...well..I have no damn clue XD > > > > > -----Ursprüngliche Nachricht----- > > > Von: Julian Zielke > > > Gesendet: Mittwoch, 7. September 2016 15:19 > > > An: 'samba at lists.samba.org' <samba at lists.samba.org> > > > Betreff: WG: [Samba] Winbind / Samba auth problem after username change > > > > > > I just did a cp -p *.ldb to a backup directory and restarted the > services. > > > Of course I didn't delete it since I don't know whether this action > would be > > > fatal. > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > > > > > Rowland Penny via samba > > > > > Gesendet: Mittwoch, 7. September 2016 15:10 > > > > > An: samba at lists.samba.org<mailto:samba at lists.samba.org> > > > > > Betreff: Re: [Samba] Winbind / Samba auth problem after username > > > > change > > > > > > > > > > On Wed, 7 Sep 2016 12:46:39 +0000 > > > > > Julian Zielke <jzielke at next-level- > integration.com<mailto:jzielke at next-level-integration.com>> wrote: > > > > > > > > > > > Btw, before it looked like this: > > > > > > > > > > > > # ll > > > > > > total 7148 > > > > > > drwxr-xr-x 2 root root 4096 Sep 7 14:36 ./ > > > > > > drwxr-xr-x 7 root root 4096 Sep 7 14:38 ../ > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 14:34 DC=NLI,DC=LOCAL.ldb > > > > > > -rw------- 1 root root 24576 Sep 7 13:11 netlogon_creds_cli.tdb > > > > > > -rw------- 1 root root 421888 Sep 7 13:09 passdb.tdb > > > > > > -rw------- 1 root root 696 Jan 19 2016 randseed.tdb > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 13:08 sam.ldb > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 14:29 sam.ldbobjectClass=* > > > > > > -rw------- 1 root root 1286144 Sep 7 10:50 secrets.ldb > > > > > > -rw------- 1 root root 430080 Sep 4 10:06 secrets.tdb > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 13:09 *-tdb > > > > > > > > > > > > > > > > > > > > > > > > Von: Julian Zielke > > > > > > Gesendet: Mittwoch, 7. September 2016 14:41 > > > > > > An: 'Rowland Penny' <rpenny at samba.org<mailto:rpenny at samba.org>> > > > > > > Cc: samba at lists.samba.org<mailto:samba at lists.samba.org> > > > > > > Betreff: AW: [Samba] Winbind / Samba auth problem after username > > > > > > change > > > > > > > > > > > > > > > > > > Well, I always get 0 results, whether using cn, full username, > > > > > > wildcards, another existing and working user etc. > > > > > > > > > > > > > > > > > > > > > > > > # cat /etc/passwd | grep 'ren_test' > > > > > > > > > > > > returns nothing > > > > > > > > > > > > > > > > > > > > > > > > # wbinfo -u | grep 'ren_test' > > > > > > > > > > > > returns: ren_test4 > > > > > > > > > > > > > > > > > > > > > > > > I also created a backup of all those ldb files and restarted the > > > > > > samba service. Now there's no new sam.ldb but a file looking > similar > > > > > > to it. > > > > > > > > > > > > > > > > How are you backing up the ldb files ? > > > > > Once you have you backed up sam.ldb, are you deleting it ? > > > > > > > > > > Rowland > > > > > > > > > > -- > > > > > To unsubscribe from this list go to the following URL and read the > > > > > instructions: https://lists.samba.org/mailman/options/samba > > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht > der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, > so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in > Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die > Kommunikation per E-Mail über das Internet unsicher ist, da für > unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und > Manipulation besteht > > Important Note: The information contained in this e-mail is confidential. > It is intended solely for the addressee. Access to this e-mail by anyone > else is unauthorized. If you are not the intended recipient, any form of > disclosure, reproduction, distribution or any action taken or refrained > from in reliance on it, is prohibited and may be unlawful. Please notify > the sender immediately. We also would like to inform you that > communication via e-mail over the internet is insecure because third > parties may have the possibility to access and manipulate e-mails. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Julian Zielke
2016-Sep-07 14:31 UTC
[Samba] Winbind / Samba auth problem after username change
Tried that too. Now when joining the domain I get: gss_init_sec_context failed with [ Miscellaneous failure (see text): Server (krbtgt/LOCAL at NLI.LOCAL) unknown] kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. Failed to join domain: failed to connect to AD: An internal error occurred.> -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H. > van Belle via samba > Gesendet: Mittwoch, 7. September 2016 16:03 > An: samba at lists.samba.org > Betreff: Re: [Samba] Winbind / Samba auth problem after username change > > I would suggest. > > Stop samba and winbind > > Backup > /etc/krb5.keytab > /var/lib/samba > /var/cache/samba > > Remove everything in : > /var/lib/samba > /var/cache/samba > And remove : > /etc/krb5.keytab > > > Put in this config ( from Rowlands suggestion. ) > Can you try this smb.conf: > > [global] > workgroup = MYDOMAIN > realm = MYDOMAIN.local > netbios name = vmu09tcse01 > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba AD Client Version %v > security = ads > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind refresh tickets = Yes > template shell = /bin/bash > domain master = no > local master = no > preferred master = no > > # Default idmap config used for BUILTIN and local windows > accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain MYDOMAIN > idmap config MYDOMAIN:backend = rid > idmap config MYDOMAIN:range = 10000-99999 > > # For ACL support on domain member > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > > > Join the domain again. > > Test again. > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Julian Zielke > via > > samba > > Verzonden: woensdag 7 september 2016 15:52 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Winbind / Samba auth problem after username > change > > > > BTW I just tried the getent command again and it gets even weirder: > > > > > > > > # getent passwd ren_test4 > > > > ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash > > > > > > > > then did another getent after a couple of seconds: > > > > > > > > # getent passwd ren_test4 > > > > ren_test3:*:12521:10513:ren_test3:/home/NLI.LOCAL/ren_test3:/bin/bash > > > > > > > > This is...well..I have no damn clue XD > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > Von: Julian Zielke > > > > > Gesendet: Mittwoch, 7. September 2016 15:19 > > > > > An: 'samba at lists.samba.org' <samba at lists.samba.org> > > > > > Betreff: WG: [Samba] Winbind / Samba auth problem after username > change > > > > > > > > > > I just did a cp -p *.ldb to a backup directory and restarted the > > services. > > > > > Of course I didn't delete it since I don't know whether this action > > would be > > > > > fatal. > > > > > > > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > > > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > > > > > > > Rowland Penny via samba > > > > > > > Gesendet: Mittwoch, 7. September 2016 15:10 > > > > > > > An: samba at lists.samba.org<mailto:samba at lists.samba.org> > > > > > > > Betreff: Re: [Samba] Winbind / Samba auth problem after username > > > > > > change > > > > > > > > > > > > > > On Wed, 7 Sep 2016 12:46:39 +0000 > > > > > > > Julian Zielke <jzielke at next-level- > > integration.com<mailto:jzielke at next-level-integration.com>> wrote: > > > > > > > > > > > > > > > Btw, before it looked like this: > > > > > > > > > > > > > > > > # ll > > > > > > > > total 7148 > > > > > > > > drwxr-xr-x 2 root root 4096 Sep 7 14:36 ./ > > > > > > > > drwxr-xr-x 7 root root 4096 Sep 7 14:38 ../ > > > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 14:34 DC=NLI,DC=LOCAL.ldb > > > > > > > > -rw------- 1 root root 24576 Sep 7 13:11 netlogon_creds_cli.tdb > > > > > > > > -rw------- 1 root root 421888 Sep 7 13:09 passdb.tdb > > > > > > > > -rw------- 1 root root 696 Jan 19 2016 randseed.tdb > > > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 13:08 sam.ldb > > > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 14:29 sam.ldbobjectClass=* > > > > > > > > -rw------- 1 root root 1286144 Sep 7 10:50 secrets.ldb > > > > > > > > -rw------- 1 root root 430080 Sep 4 10:06 secrets.tdb > > > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 13:09 *-tdb > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Von: Julian Zielke > > > > > > > > Gesendet: Mittwoch, 7. September 2016 14:41 > > > > > > > > An: 'Rowland Penny' > <rpenny at samba.org<mailto:rpenny at samba.org>> > > > > > > > > Cc: samba at lists.samba.org<mailto:samba at lists.samba.org> > > > > > > > > Betreff: AW: [Samba] Winbind / Samba auth problem after > username > > > > > > > > change > > > > > > > > > > > > > > > > > > > > > > > > Well, I always get 0 results, whether using cn, full username, > > > > > > > > wildcards, another existing and working user etc. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > # cat /etc/passwd | grep 'ren_test' > > > > > > > > > > > > > > > > returns nothing > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > # wbinfo -u | grep 'ren_test' > > > > > > > > > > > > > > > > returns: ren_test4 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I also created a backup of all those ldb files and restarted the > > > > > > > > samba service. Now there's no new sam.ldb but a file looking > > similar > > > > > > > > to it. > > > > > > > > > > > > > > > > > > > > > > How are you backing up the ldb files ? > > > > > > > Once you have you backed up sam.ldb, are you deleting it ? > > > > > > > > > > > > > > Rowland > > > > > > > > > > > > > > -- > > > > > > > To unsubscribe from this list go to the following URL and read the > > > > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und > > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht > > der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein > sollten, > > so beachten Sie bitte, dass jede Form der Kenntnisnahme, > Veröffentlichung, > > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. > > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in > > Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass > die > > Kommunikation per E-Mail über das Internet unsicher ist, da für > > unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und > > Manipulation besteht > > > > Important Note: The information contained in this e-mail is confidential. > > It is intended solely for the addressee. Access to this e-mail by anyone > > else is unauthorized. If you are not the intended recipient, any form of > > disclosure, reproduction, distribution or any action taken or refrained > > from in reliance on it, is prohibited and may be unlawful. Please notify > > the sender immediately. We also would like to inform you that > > communication via e-mail over the internet is insecure because third > > parties may have the possibility to access and manipulate e-mails. > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaWichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.
L.P.H. van Belle
2016-Sep-07 14:34 UTC
[Samba] Winbind / Samba auth problem after username change
No tls setup in samba? Host/ip in dns is checked? Resolv.conf is pointed to the AD DC with FSMO roles? And you tried recreating the krb5.keytab if is not recreated? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Julian Zielke [mailto:jzielke at next-level-integration.com] > Verzonden: woensdag 7 september 2016 16:31 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: AW: [Samba] Winbind / Samba auth problem after username change > > Tried that too. Now when joining the domain I get: > > gss_init_sec_context failed with [ Miscellaneous failure (see text): > Server (krbtgt/LOCAL at NLI.LOCAL) unknown] > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal > error occurred. > Failed to join domain: failed to connect to AD: An internal error > occurred. > > > > > -----Ursprüngliche Nachricht----- > > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H. > > van Belle via samba > > Gesendet: Mittwoch, 7. September 2016 16:03 > > An: samba at lists.samba.org > > Betreff: Re: [Samba] Winbind / Samba auth problem after username change > > > > I would suggest. > > > > Stop samba and winbind > > > > Backup > > /etc/krb5.keytab > > /var/lib/samba > > /var/cache/samba > > > > Remove everything in : > > /var/lib/samba > > /var/cache/samba > > And remove : > > /etc/krb5.keytab > > > > > > Put in this config ( from Rowlands suggestion. ) > > Can you try this smb.conf: > > > > [global] > > workgroup = MYDOMAIN > > realm = MYDOMAIN.local > > netbios name = vmu09tcse01 > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > server string = Samba AD Client Version %v > > security = ads > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > winbind refresh tickets = Yes > > template shell = /bin/bash > > domain master = no > > local master = no > > preferred master = no > > > > # Default idmap config used for BUILTIN and local windows > > accounts/groups > > idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > > > # idmap config for domain MYDOMAIN > > idmap config MYDOMAIN:backend = rid > > idmap config MYDOMAIN:range = 10000-99999 > > > > # For ACL support on domain member > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > > > > > > > Join the domain again. > > > > Test again. > > > > Greetz, > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Julian Zielke > > via > > > samba > > > Verzonden: woensdag 7 september 2016 15:52 > > > Aan: samba at lists.samba.org > > > Onderwerp: Re: [Samba] Winbind / Samba auth problem after username > > change > > > > > > BTW I just tried the getent command again and it gets even weirder: > > > > > > > > > > > > # getent passwd ren_test4 > > > > > > ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash > > > > > > > > > > > > then did another getent after a couple of seconds: > > > > > > > > > > > > # getent passwd ren_test4 > > > > > > ren_test3:*:12521:10513:ren_test3:/home/NLI.LOCAL/ren_test3:/bin/bash > > > > > > > > > > > > This is...well..I have no damn clue XD > > > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > > > Von: Julian Zielke > > > > > > > Gesendet: Mittwoch, 7. September 2016 15:19 > > > > > > > An: 'samba at lists.samba.org' <samba at lists.samba.org> > > > > > > > Betreff: WG: [Samba] Winbind / Samba auth problem after username > > change > > > > > > > > > > > > > > I just did a cp -p *.ldb to a backup directory and restarted the > > > services. > > > > > > > Of course I didn't delete it since I don't know whether this action > > > would be > > > > > > > fatal. > > > > > > > > > > > > > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > > > > > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > > > > > > > > > Rowland Penny via samba > > > > > > > > > Gesendet: Mittwoch, 7. September 2016 15:10 > > > > > > > > > An: samba at lists.samba.org<mailto:samba at lists.samba.org> > > > > > > > > > Betreff: Re: [Samba] Winbind / Samba auth problem after username > > > > > > > > change > > > > > > > > > > > > > > > > > > On Wed, 7 Sep 2016 12:46:39 +0000 > > > > > > > > > Julian Zielke <jzielke at next-level- > > > integration.com<mailto:jzielke at next-level-integration.com>> wrote: > > > > > > > > > > > > > > > > > > > Btw, before it looked like this: > > > > > > > > > > > > > > > > > > > > # ll > > > > > > > > > > total 7148 > > > > > > > > > > drwxr-xr-x 2 root root 4096 Sep 7 14:36 ./ > > > > > > > > > > drwxr-xr-x 7 root root 4096 Sep 7 14:38 ../ > > > > > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 14:34 > DC=NLI,DC=LOCAL.ldb > > > > > > > > > > -rw------- 1 root root 24576 Sep 7 13:11 > netlogon_creds_cli.tdb > > > > > > > > > > -rw------- 1 root root 421888 Sep 7 13:09 passdb.tdb > > > > > > > > > > -rw------- 1 root root 696 Jan 19 2016 randseed.tdb > > > > > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 13:08 sam.ldb > > > > > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 14:29 > sam.ldbobjectClass=* > > > > > > > > > > -rw------- 1 root root 1286144 Sep 7 10:50 secrets.ldb > > > > > > > > > > -rw------- 1 root root 430080 Sep 4 10:06 secrets.tdb > > > > > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 13:09 *-tdb > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Von: Julian Zielke > > > > > > > > > > Gesendet: Mittwoch, 7. September 2016 14:41 > > > > > > > > > > An: 'Rowland Penny' > > <rpenny at samba.org<mailto:rpenny at samba.org>> > > > > > > > > > > Cc: samba at lists.samba.org<mailto:samba at lists.samba.org> > > > > > > > > > > Betreff: AW: [Samba] Winbind / Samba auth problem after > > username > > > > > > > > > > change > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Well, I always get 0 results, whether using cn, full username, > > > > > > > > > > wildcards, another existing and working user etc. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > # cat /etc/passwd | grep 'ren_test' > > > > > > > > > > > > > > > > > > > > returns nothing > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > # wbinfo -u | grep 'ren_test' > > > > > > > > > > > > > > > > > > > > returns: ren_test4 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I also created a backup of all those ldb files and restarted > the > > > > > > > > > > samba service. Now there's no new sam.ldb but a file looking > > > similar > > > > > > > > > > to it. > > > > > > > > > > > > > > > > > > > > > > > > > > > > How are you backing up the ldb files ? > > > > > > > > > Once you have you backed up sam.ldb, are you deleting it ? > > > > > > > > > > > > > > > > > > Rowland > > > > > > > > > > > > > > > > > > -- > > > > > > > > > To unsubscribe from this list go to the following URL and read > the > > > > > > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und > > > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie > nicht > > > der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein > > sollten, > > > so beachten Sie bitte, dass jede Form der Kenntnisnahme, > > Veröffentlichung, > > > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig > ist. > > > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in > > > Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass > > die > > > Kommunikation per E-Mail über das Internet unsicher ist, da für > > > unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme > und > > > Manipulation besteht > > > > > > Important Note: The information contained in this e-mail is > confidential. > > > It is intended solely for the addressee. Access to this e-mail by > anyone > > > else is unauthorized. If you are not the intended recipient, any form > of > > > disclosure, reproduction, distribution or any action taken or > refrained > > > from in reliance on it, is prohibited and may be unlawful. Please > notify > > > the sender immediately. We also would like to inform you that > > > communication via e-mail over the internet is insecure because third > > > parties may have the possibility to access and manipulate e-mails. > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht > der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, > so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in > Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die > Kommunikation per E-Mail über das Internet unsicher ist, da für > unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und > Manipulation besteht > > Important Note: The information contained in this e-mail is confidential. > It is intended solely for the addressee. Access to this e-mail by anyone > else is unauthorized. If you are not the intended recipient, any form of > disclosure, reproduction, distribution or any action taken or refrained > from in reliance on it, is prohibited and may be unlawful. Please notify > the sender immediately. We also would like to inform you that > communication via e-mail over the internet is insecure because third > parties may have the possibility to access and manipulate e-mails.
Rowland Penny
2016-Sep-07 14:43 UTC
[Samba] Winbind / Samba auth problem after username change
On Wed, 7 Sep 2016 16:34:36 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> No tls setup in samba? > Host/ip in dns is checked? > > Resolv.conf is pointed to the AD DC with FSMO roles? > > And you tried recreating the krb5.keytab if is not recreated? > > Greetz, > > Louis >I am beginning to think the OP has damaged sam.ldb on the DC by copying it, it might be quicker to start again. I do hope this isn't in production. Rowland
Julian Zielke
2016-Sep-07 14:53 UTC
[Samba] Winbind / Samba auth problem after username change
sorry, my mistake. net ads join -S argument required FQDN oft he primary dc. Machine is back in the domain. This seems to have helped. However, is this really the solution? I mean I have to rejoin the domain for all my machines? *sigh* Well if that's the case, so be it. But then I'll switch over to sssd. This will also affect production machines but that's what maintenance intervals are made for, right? ;-)> -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H. > van Belle via samba > Gesendet: Mittwoch, 7. September 2016 16:35 > An: samba at lists.samba.org > Betreff: Re: [Samba] Winbind / Samba auth problem after username change > > No tls setup in samba? > Host/ip in dns is checked? > > Resolv.conf is pointed to the AD DC with FSMO roles? > > And you tried recreating the krb5.keytab if is not recreated? > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: Julian Zielke [mailto:jzielke at next-level-integration.com] > > Verzonden: woensdag 7 september 2016 16:31 > > Aan: L.P.H. van Belle > > CC: samba at lists.samba.org > > Onderwerp: AW: [Samba] Winbind / Samba auth problem after username > change > > > > Tried that too. Now when joining the domain I get: > > > > gss_init_sec_context failed with [ Miscellaneous failure (see text): > > Server (krbtgt/LOCAL at NLI.LOCAL) unknown] > > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > internal > > error occurred. > > Failed to join domain: failed to connect to AD: An internal error > > occurred. > > > > > > > > > -----Ursprüngliche Nachricht----- > > > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > L.P.H. > > > van Belle via samba > > > Gesendet: Mittwoch, 7. September 2016 16:03 > > > An: samba at lists.samba.org > > > Betreff: Re: [Samba] Winbind / Samba auth problem after username > change > > > > > > I would suggest. > > > > > > Stop samba and winbind > > > > > > Backup > > > /etc/krb5.keytab > > > /var/lib/samba > > > /var/cache/samba > > > > > > Remove everything in : > > > /var/lib/samba > > > /var/cache/samba > > > And remove : > > > /etc/krb5.keytab > > > > > > > > > Put in this config ( from Rowlands suggestion. ) > > > Can you try this smb.conf: > > > > > > [global] > > > workgroup = MYDOMAIN > > > realm = MYDOMAIN.local > > > netbios name = vmu09tcse01 > > > dedicated keytab file = /etc/krb5.keytab > > > kerberos method = secrets and keytab > > > server string = Samba AD Client Version %v > > > security = ads > > > winbind enum users = yes > > > winbind enum groups = yes > > > winbind use default domain = yes > > > winbind refresh tickets = Yes > > > template shell = /bin/bash > > > domain master = no > > > local master = no > > > preferred master = no > > > > > > # Default idmap config used for BUILTIN and local windows > > > accounts/groups > > > idmap config *:backend = tdb > > > idmap config *:range = 2000-9999 > > > > > > # idmap config for domain MYDOMAIN > > > idmap config MYDOMAIN:backend = rid > > > idmap config MYDOMAIN:range = 10000-99999 > > > > > > # For ACL support on domain member > > > vfs objects = acl_xattr > > > map acl inherit = Yes > > > store dos attributes = Yes > > > > > > > > > > > > Join the domain again. > > > > > > Test again. > > > > > > Greetz, > > > > > > Louis > > > > > > > > > > -----Oorspronkelijk bericht----- > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Julian > Zielke > > > via > > > > samba > > > > Verzonden: woensdag 7 september 2016 15:52 > > > > Aan: samba at lists.samba.org > > > > Onderwerp: Re: [Samba] Winbind / Samba auth problem after > username > > > change > > > > > > > > BTW I just tried the getent command again and it gets even weirder: > > > > > > > > > > > > > > > > # getent passwd ren_test4 > > > > > > > > > ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash > > > > > > > > > > > > > > > > then did another getent after a couple of seconds: > > > > > > > > > > > > > > > > # getent passwd ren_test4 > > > > > > > > > ren_test3:*:12521:10513:ren_test3:/home/NLI.LOCAL/ren_test3:/bin/bash > > > > > > > > > > > > > > > > This is...well..I have no damn clue XD > > > > > > > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > > > > > Von: Julian Zielke > > > > > > > > > Gesendet: Mittwoch, 7. September 2016 15:19 > > > > > > > > > An: 'samba at lists.samba.org' <samba at lists.samba.org> > > > > > > > > > Betreff: WG: [Samba] Winbind / Samba auth problem after username > > > change > > > > > > > > > > > > > > > > > > I just did a cp -p *.ldb to a backup directory and restarted the > > > > services. > > > > > > > > > Of course I didn't delete it since I don't know whether this action > > > > would be > > > > > > > > > fatal. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > > > > > > > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag > von > > > > > > > > > > > Rowland Penny via samba > > > > > > > > > > > Gesendet: Mittwoch, 7. September 2016 15:10 > > > > > > > > > > > An: samba at lists.samba.org<mailto:samba at lists.samba.org> > > > > > > > > > > > Betreff: Re: [Samba] Winbind / Samba auth problem after > username > > > > > > > > > > change > > > > > > > > > > > > > > > > > > > > > > On Wed, 7 Sep 2016 12:46:39 +0000 > > > > > > > > > > > Julian Zielke <jzielke at next-level- > > > > integration.com<mailto:jzielke at next-level-integration.com>> wrote: > > > > > > > > > > > > > > > > > > > > > > > Btw, before it looked like this: > > > > > > > > > > > > > > > > > > > > > > > > # ll > > > > > > > > > > > > total 7148 > > > > > > > > > > > > drwxr-xr-x 2 root root 4096 Sep 7 14:36 ./ > > > > > > > > > > > > drwxr-xr-x 7 root root 4096 Sep 7 14:38 ../ > > > > > > > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 14:34 > > DC=NLI,DC=LOCAL.ldb > > > > > > > > > > > > -rw------- 1 root root 24576 Sep 7 13:11 > > netlogon_creds_cli.tdb > > > > > > > > > > > > -rw------- 1 root root 421888 Sep 7 13:09 passdb.tdb > > > > > > > > > > > > -rw------- 1 root root 696 Jan 19 2016 randseed.tdb > > > > > > > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 13:08 sam.ldb > > > > > > > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 14:29 > > sam.ldbobjectClass=* > > > > > > > > > > > > -rw------- 1 root root 1286144 Sep 7 10:50 secrets.ldb > > > > > > > > > > > > -rw------- 1 root root 430080 Sep 4 10:06 secrets.tdb > > > > > > > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 13:09 *-tdb > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Von: Julian Zielke > > > > > > > > > > > > Gesendet: Mittwoch, 7. September 2016 14:41 > > > > > > > > > > > > An: 'Rowland Penny' > > > <rpenny at samba.org<mailto:rpenny at samba.org>> > > > > > > > > > > > > Cc: samba at lists.samba.org<mailto:samba at lists.samba.org> > > > > > > > > > > > > Betreff: AW: [Samba] Winbind / Samba auth problem after > > > username > > > > > > > > > > > > change > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Well, I always get 0 results, whether using cn, full username, > > > > > > > > > > > > wildcards, another existing and working user etc. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > # cat /etc/passwd | grep 'ren_test' > > > > > > > > > > > > > > > > > > > > > > > > returns nothing > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > # wbinfo -u | grep 'ren_test' > > > > > > > > > > > > > > > > > > > > > > > > returns: ren_test4 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I also created a backup of all those ldb files and restarted > > the > > > > > > > > > > > > samba service. Now there's no new sam.ldb but a file looking > > > > similar > > > > > > > > > > > > to it. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > How are you backing up the ldb files ? > > > > > > > > > > > Once you have you backed up sam.ldb, are you deleting it ? > > > > > > > > > > > > > > > > > > > > > > Rowland > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > To unsubscribe from this list go to the following URL and read > > the > > > > > > > > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und > > > > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie > > nicht > > > > der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein > > > sollten, > > > > so beachten Sie bitte, dass jede Form der Kenntnisnahme, > > > Veröffentlichung, > > > > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig > > ist. > > > > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in > > > > Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, > dass > > > die > > > > Kommunikation per E-Mail über das Internet unsicher ist, da für > > > > unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme > > und > > > > Manipulation besteht > > > > > > > > Important Note: The information contained in this e-mail is > > confidential. > > > > It is intended solely for the addressee. Access to this e-mail by > > anyone > > > > else is unauthorized. If you are not the intended recipient, any form > > of > > > > disclosure, reproduction, distribution or any action taken or > > refrained > > > > from in reliance on it, is prohibited and may be unlawful. Please > > notify > > > > the sender immediately. We also would like to inform you that > > > > communication via e-mail over the internet is insecure because third > > > > parties may have the possibility to access and manipulate e-mails. > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und > > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht > > der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein > sollten, > > so beachten Sie bitte, dass jede Form der Kenntnisnahme, > Veröffentlichung, > > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. > > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in > > Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass > die > > Kommunikation per E-Mail über das Internet unsicher ist, da für > > unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und > > Manipulation besteht > > > > Important Note: The information contained in this e-mail is confidential. > > It is intended solely for the addressee. Access to this e-mail by anyone > > else is unauthorized. If you are not the intended recipient, any form of > > disclosure, reproduction, distribution or any action taken or refrained > > from in reliance on it, is prohibited and may be unlawful. Please notify > > the sender immediately. We also would like to inform you that > > communication via e-mail over the internet is insecure because third > > parties may have the possibility to access and manipulate e-mails. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaWichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.
L.P.H. van Belle
2016-Sep-07 15:09 UTC
[Samba] Winbind / Samba auth problem after username change
No, i dont think is needed for all to rejoin. Now next server, do the same but now dont delete everything Again stop samba and winbind. Backup the 2 /var/lib/samba and /var/cache/samba folder. Now in /var/lib/samba delete winbind*.tdb And *.tdb in /var/cache/samba USE THE SMB.CONF as before, modify it for the needed server. Start samba and winbind again. Type wbinfo -u first and wbinfo -g Just to be sure this works ok and it updates the tdb files again. If it works.. Stop samba +winbind again. Add in smb.conf password server = ADDC_WITH_FSMO retry above with all ADDC. DC04, DC01, DC02, * one has a problem i think but test with only one server a time. ( and user FQDN for the pass servers. ) That should help to identify where the problem is exact. Greetz, Louis