samba - Sep 2016 - Winbind / Samba auth problem after username change

No, i dont think is needed for all to rejoin. 

Now next server, do the same but now dont delete everything

Again stop samba and winbind. 

Backup the 2 /var/lib/samba and /var/cache/samba folder. 

Now in /var/lib/samba delete winbind*.tdb 
And *.tdb in /var/cache/samba 

USE THE SMB.CONF as before, modify it for the needed server. 
Start samba and winbind again. 

Type wbinfo -u first and wbinfo -g 
Just to be sure this works ok and it updates the tdb files again. 

If it works.. 
Stop samba +winbind again. 

Add in smb.conf 
password server = ADDC_WITH_FSMO 

retry above with all ADDC. DC04, DC01, DC02, *  
one has a problem i think

but test with only one server a time. 
( and user FQDN for the pass servers. ) 

That should help to identify where the problem is exact. 


Greetz, 

Louis

Good morning folks,


well first of all thank you very much for the help from all of you guys. Really
appreciate that.
I discussed the case with my department and we all came to the conclusion that
migrating the old machines to sssd would
be less time consuming rather than analyzing what has corrupted the old
database. Probably in the end a database rebuild would
be necessary anyway so I wrote a small bash script which transforms the old
authentication method to sssd. Already tested it and it works perfectly fine.
Makes sense to migrate all machines to one authentication method anyway.

Cheers,
Julian
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H.
> van Belle via samba
> Gesendet: Mittwoch, 7. September 2016 17:09
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Winbind / Samba auth problem after username change
>
> No, i dont think is needed for all to rejoin.
>
> Now next server, do the same but now dont delete everything
>
> Again stop samba and winbind.
>
> Backup the 2 /var/lib/samba and /var/cache/samba folder.
>
> Now in /var/lib/samba delete winbind*.tdb
> And *.tdb in /var/cache/samba
>
> USE THE SMB.CONF as before, modify it for the needed server.
> Start samba and winbind again.
>
> Type wbinfo -u first and wbinfo -g
> Just to be sure this works ok and it updates the tdb files again.
>
> If it works..
> Stop samba +winbind again.
>
> Add in smb.conf
> password server = ADDC_WITH_FSMO
>
> retry above with all ADDC. DC04, DC01, DC02, *
> one has a problem i think
>
> but test with only one server a time.
> ( and user FQDN for the pass servers. )
>
> That should help to identify where the problem is exact.
>
>
> Greetz,
>
> Louis
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich
für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene
Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie
bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder
Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in
diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie
außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet
unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der
Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is
intended solely for the addressee. Access to this e-mail by anyone else is
unauthorized. If you are not the intended recipient, any form of disclosure,
reproduction, distribution or any action taken or refrained from in reliance on
it, is prohibited and may be unlawful. Please notify the sender immediately. We
also would like to inform you that communication via e-mail over the internet is
insecure because third parties may have the possibility to access and manipulate
e-mails.

Hai, Julian, 


Share-ing such a script would be apriciated ;-)  thats always handy to have.

And special reason why you choose sssd over winbind? 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Julian Zielke [mailto:jzielke at next-level-integration.com]
> Verzonden: donderdag 8 september 2016 9:43
> Aan: L.P.H. van Belle; Rowland Penny; mathias dufresne
> CC: samba at lists.samba.org
> Onderwerp: AW: [Samba] Winbind / Samba auth problem after username change
> 
> Good morning folks,
> 
> 
> well first of all thank you very much for the help from all of you guys.
> Really appreciate that.
> I discussed the case with my department and we all came to the conclusion
> that migrating the old machines to sssd would
> be less time consuming rather than analyzing what has corrupted the old
> database. Probably in the end a database rebuild would
> be necessary anyway so I wrote a small bash script which transforms the
> old authentication method to sssd. Already tested it and it works
> perfectly fine.
> Makes sense to migrate all machines to one authentication method anyway.
> 
> Cheers,
> Julian
> 
> > -----Ursprüngliche Nachricht-----
> > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
L.P.H.
> > van Belle via samba
> > Gesendet: Mittwoch, 7. September 2016 17:09
> > An: samba at lists.samba.org
> > Betreff: Re: [Samba] Winbind / Samba auth problem after username
change
> >
> > No, i dont think is needed for all to rejoin.
> >
> > Now next server, do the same but now dont delete everything
> >
> > Again stop samba and winbind.
> >
> > Backup the 2 /var/lib/samba and /var/cache/samba folder.
> >
> > Now in /var/lib/samba delete winbind*.tdb
> > And *.tdb in /var/cache/samba
> >
> > USE THE SMB.CONF as before, modify it for the needed server.
> > Start samba and winbind again.
> >
> > Type wbinfo -u first and wbinfo -g
> > Just to be sure this works ok and it updates the tdb files again.
> >
> > If it works..
> > Stop samba +winbind again.
> >
> > Add in smb.conf
> > password server = ADDC_WITH_FSMO
> >
> > retry above with all ADDC. DC04, DC01, DC02, *
> > one has a problem i think
> >
> > but test with only one server a time.
> > ( and user FQDN for the pass servers. )
> >
> > That should help to identify where the problem is exact.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und
> ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht
> der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten,
> so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung,
> Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist.
> Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in
> Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die
> Kommunikation per E-Mail über das Internet unsicher ist, da für
> unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und
> Manipulation besteht
> 
> Important Note: The information contained in this e-mail is confidential.
> It is intended solely for the addressee. Access to this e-mail by anyone
> else is unauthorized. If you are not the intended recipient, any form of
> disclosure, reproduction, distribution or any action taken or refrained
> from in reliance on it, is prohibited and may be unlawful. Please notify
> the sender immediately. We also would like to inform you that
> communication via e-mail over the internet is insecure because third
> parties may have the possibility to access and manipulate e-mails.

On Thu, 8 Sep 2016 07:43:23 +0000
Julian Zielke <jzielke at next-level-integration.com> wrote:
> Good morning folks,
> 
> 
> well first of all thank you very much for the help from all of you
> guys. Really appreciate that. I discussed the case with my department
> and we all came to the conclusion that migrating the old machines to
> sssd would be less time consuming rather than analyzing what has
> corrupted the old database. Probably in the end a database rebuild
> would be necessary anyway so I wrote a small bash script which
> transforms the old authentication method to sssd. Already tested it
> and it works perfectly fine. Makes sense to migrate all machines to
> one authentication method anyway.
> 
Well if it works with sssd, it proves there is nothing wrong with your
AD, so it must have been something wrong with your Unix client set up.

Rowland

Here you go:

https://github.com/jzielke84/sssdmigrator

Feel free to commit changes if you find a bug.

The reason we switched to SSSD was a bug in Samba domain join which was fixed in
the first sernet pay-repos (version 4.3).
We bought a subscription later but had to get machines into the domain and SSSD
came in handy.
Also there was an article in a local linux magazine featuring that topic. And so
far it's running perfectly fine.

Cheers,
Julian
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H.
> van Belle via samba
> Gesendet: Donnerstag, 8. September 2016 09:49
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Winbind / Samba auth problem after username change
>
> Hai, Julian,
>
>
> Share-ing such a script would be apriciated ;-)  thats always handy to
have.
>
> And special reason why you choose sssd over winbind?
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Julian Zielke [mailto:jzielke at next-level-integration.com]
> > Verzonden: donderdag 8 september 2016 9:43
> > Aan: L.P.H. van Belle; Rowland Penny; mathias dufresne
> > CC: samba at lists.samba.org
> > Onderwerp: AW: [Samba] Winbind / Samba auth problem after username
> change
> >
> > Good morning folks,
> >
> >
> > well first of all thank you very much for the help from all of you
guys.
> > Really appreciate that.
> > I discussed the case with my department and we all came to the
conclusion
> > that migrating the old machines to sssd would
> > be less time consuming rather than analyzing what has corrupted the
old
> > database. Probably in the end a database rebuild would
> > be necessary anyway so I wrote a small bash script which transforms
the
> > old authentication method to sssd. Already tested it and it works
> > perfectly fine.
> > Makes sense to migrate all machines to one authentication method
> anyway.
> >
> > Cheers,
> > Julian
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag
von
> L.P.H.
> > > van Belle via samba
> > > Gesendet: Mittwoch, 7. September 2016 17:09
> > > An: samba at lists.samba.org
> > > Betreff: Re: [Samba] Winbind / Samba auth problem after username
> change
> > >
> > > No, i dont think is needed for all to rejoin.
> > >
> > > Now next server, do the same but now dont delete everything
> > >
> > > Again stop samba and winbind.
> > >
> > > Backup the 2 /var/lib/samba and /var/cache/samba folder.
> > >
> > > Now in /var/lib/samba delete winbind*.tdb
> > > And *.tdb in /var/cache/samba
> > >
> > > USE THE SMB.CONF as before, modify it for the needed server.
> > > Start samba and winbind again.
> > >
> > > Type wbinfo -u first and wbinfo -g
> > > Just to be sure this works ok and it updates the tdb files again.
> > >
> > > If it works..
> > > Stop samba +winbind again.
> > >
> > > Add in smb.conf
> > > password server = ADDC_WITH_FSMO
> > >
> > > retry above with all ADDC. DC04, DC01, DC02, *
> > > one has a problem i think
> > >
> > > but test with only one server a time.
> > > ( and user FQDN for the pass servers. )
> > >
> > > That should help to identify where the problem is exact.
> > >
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und
> > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie
nicht
> > der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein
> sollten,
> > so beachten Sie bitte, dass jede Form der Kenntnisnahme,
> Veröffentlichung,
> > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig
ist.
> > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in
> > Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass
> die
> > Kommunikation per E-Mail über das Internet unsicher ist, da für
> > unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme
und
> > Manipulation besteht
> >
> > Important Note: The information contained in this e-mail is
confidential.
> > It is intended solely for the addressee. Access to this e-mail by
anyone
> > else is unauthorized. If you are not the intended recipient, any form
of
> > disclosure, reproduction, distribution or any action taken or
refrained
> > from in reliance on it, is prohibited and may be unlawful. Please
notify
> > the sender immediately. We also would like to inform you that
> > communication via e-mail over the internet is insecure because third
> > parties may have the possibility to access and manipulate e-mails.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich
für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene
Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie
bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder
Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in
diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie
außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet
unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der
Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is
intended solely for the addressee. Access to this e-mail by anyone else is
unauthorized. If you are not the intended recipient, any form of disclosure,
reproduction, distribution or any action taken or refrained from in reliance on
it, is prohibited and may be unlawful. Please notify the sender immediately. We
also would like to inform you that communication via e-mail over the internet is
insecure because third parties may have the possibility to access and manipulate
e-mails.

Thank you, very apreciated and very usefull. 
And good for my scripting learning skills. 

I forked it, so if i change something, i'll push you. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: Julian Zielke [mailto:jzielke at next-level-integration.com]
> Verzonden: donderdag 8 september 2016 11:00
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: AW: [Samba] Winbind / Samba auth problem after username change
> 
> Here you go:
> 
> https://github.com/jzielke84/sssdmigrator
> 
> Feel free to commit changes if you find a bug.
> 
> The reason we switched to SSSD was a bug in Samba domain join which was
> fixed in the first sernet pay-repos (version 4.3).
> We bought a subscription later but had to get machines into the domain and
> SSSD came in handy.
> Also there was an article in a local linux magazine featuring that topic.
> And so far it's running perfectly fine.
> 
> Cheers,
> Julian
> 
> > -----Ursprüngliche Nachricht-----
> > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
L.P.H.
> > van Belle via samba
> > Gesendet: Donnerstag, 8. September 2016 09:49
> > An: samba at lists.samba.org
> > Betreff: Re: [Samba] Winbind / Samba auth problem after username
change
> >
> > Hai, Julian,
> >
> >
> > Share-ing such a script would be apriciated ;-)  thats always handy to
> have.
> >
> > And special reason why you choose sssd over winbind?
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: Julian Zielke [mailto:jzielke at next-level-integration.com]
> > > Verzonden: donderdag 8 september 2016 9:43
> > > Aan: L.P.H. van Belle; Rowland Penny; mathias dufresne
> > > CC: samba at lists.samba.org
> > > Onderwerp: AW: [Samba] Winbind / Samba auth problem after
username
> > change
> > >
> > > Good morning folks,
> > >
> > >
> > > well first of all thank you very much for the help from all of
you
> guys.
> > > Really appreciate that.
> > > I discussed the case with my department and we all came to the
> conclusion
> > > that migrating the old machines to sssd would
> > > be less time consuming rather than analyzing what has corrupted
the
> old
> > > database. Probably in the end a database rebuild would
> > > be necessary anyway so I wrote a small bash script which
transforms
> the
> > > old authentication method to sssd. Already tested it and it works
> > > perfectly fine.
> > > Makes sense to migrate all machines to one authentication method
> > anyway.
> > >
> > > Cheers,
> > > Julian
> > >
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: samba [mailto:samba-bounces at lists.samba.org] Im
Auftrag von
> > L.P.H.
> > > > van Belle via samba
> > > > Gesendet: Mittwoch, 7. September 2016 17:09
> > > > An: samba at lists.samba.org
> > > > Betreff: Re: [Samba] Winbind / Samba auth problem after
username
> > change
> > > >
> > > > No, i dont think is needed for all to rejoin.
> > > >
> > > > Now next server, do the same but now dont delete everything
> > > >
> > > > Again stop samba and winbind.
> > > >
> > > > Backup the 2 /var/lib/samba and /var/cache/samba folder.
> > > >
> > > > Now in /var/lib/samba delete winbind*.tdb
> > > > And *.tdb in /var/cache/samba
> > > >
> > > > USE THE SMB.CONF as before, modify it for the needed server.
> > > > Start samba and winbind again.
> > > >
> > > > Type wbinfo -u first and wbinfo -g
> > > > Just to be sure this works ok and it updates the tdb files
again.
> > > >
> > > > If it works..
> > > > Stop samba +winbind again.
> > > >
> > > > Add in smb.conf
> > > > password server = ADDC_WITH_FSMO
> > > >
> > > > retry above with all ADDC. DC04, DC01, DC02, *
> > > > one has a problem i think
> > > >
> > > > but test with only one server a time.
> > > > ( and user FQDN for the pass servers. )
> > > >
> > > > That should help to identify where the problem is exact.
> > > >
> > > >
> > > > Greetz,
> > > >
> > > > Louis
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and
read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und
> > > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie
> nicht
> > > der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein
> > sollten,
> > > so beachten Sie bitte, dass jede Form der Kenntnisnahme,
> > Veröffentlichung,
> > > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail
unzulässig
> ist.
> > > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail
in
> > > Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen,
dass
> > die
> > > Kommunikation per E-Mail über das Internet unsicher ist, da für
> > > unberechtigte Dritte grundsätzlich die Möglichkeit der
Kenntnisnahme
> und
> > > Manipulation besteht
> > >
> > > Important Note: The information contained in this e-mail is
> confidential.
> > > It is intended solely for the addressee. Access to this e-mail by
> anyone
> > > else is unauthorized. If you are not the intended recipient, any
form
> of
> > > disclosure, reproduction, distribution or any action taken or
> refrained
> > > from in reliance on it, is prohibited and may be unlawful. Please
> notify
> > > the sender immediately. We also would like to inform you that
> > > communication via e-mail over the internet is insecure because
third
> > > parties may have the possibility to access and manipulate
e-mails.
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und
> ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht
> der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten,
> so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung,
> Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist.
> Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in
> Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die
> Kommunikation per E-Mail über das Internet unsicher ist, da für
> unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und
> Manipulation besteht
> 
> Important Note: The information contained in this e-mail is confidential.
> It is intended solely for the addressee. Access to this e-mail by anyone
> else is unauthorized. If you are not the intended recipient, any form of
> disclosure, reproduction, distribution or any action taken or refrained
> from in reliance on it, is prohibited and may be unlawful. Please notify
> the sender immediately. We also would like to inform you that
> communication via e-mail over the internet is insecure because third
> parties may have the possibility to access and manipulate e-mails.