[Samba] Winbind / Samba auth problem after username change

mathias dufresne infractory at gmail.com
Tue Sep 6 08:44:28 UTC 2016


You had a working environment using Winbind to retrieve user from AD.
You had to change that and now you have replaced Winbind by SSSD.
You changed some user names, those can't login any more.

When using "getent passwd | grep <username>" you have response.

A small note: rather than "getent passwd | grep <username>" which is
resource consuming you can do "getent passwd <username>". You ask here for
one user only which needs less resources, you should have one line as a

For me your configuration is almost good, at least for the part which is
responsible to retrieve users from the domain.

It seems you are lacking some configuration to tell SSSD which group can
login (because of "not allowed because none of user's groups are listed in

Add some groups in "AllowGroups" or don't use that feature. That should let
your users log in.



2016-09-06 10:17 GMT+02:00 Julian Zielke via samba <samba at lists.samba.org>:

> Hi,
> before we switched to SSSD we've been implementing the ssh authentication
> method via Domain using winbind+samba.
> Version installed on our machines is (still) 2:4.1.6+dfsg-1ubuntu2.14.04.13.
> So far everything has been working fine, however
> after we had to change a user's logon name in the domain he can't login
> anymore. auth.log shows still his old username followed by "from <IP> not
> allowed because none of user's groups are listed in AllowGroups". I
> searched several websites for a solution but only found recommendations on
> deleting
> the winbind cache at /var/lib/samba. However this didn't fix the problem.
> When I do a grep using getent passwd on the users NEW name, it shows up.
> So actually the domain controllers is delivering the correct username.
> Is this a known bug in version 4.1.6 or can I solve this any other way
> without running a package upgrade on a production machine?
> Cheers
> Julian
> Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und
> ausschlie?lich f?r den bezeichneten Adressaten bestimmt. Wenn Sie nicht der
> vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so
> beachten Sie bitte, dass jede Form der Kenntnisnahme, Ver?ffentlichung,
> Vervielf?ltigung oder Weitergabe des Inhalts dieser E-Mail unzul?ssig ist.
> Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in
> Verbindung zu setzen. Wir m?chten Sie au?erdem darauf hinweisen, dass die
> Kommunikation per E-Mail ?ber das Internet unsicher ist, da f?r
> unberechtigte Dritte grunds?tzlich die M?glichkeit der Kenntnisnahme und
> Manipulation besteht
> Important Note: The information contained in this e-mail is confidential.
> It is intended solely for the addressee. Access to this e-mail by anyone
> else is unauthorized. If you are not the intended recipient, any form of
> disclosure, reproduction, distribution or any action taken or refrained
> from in reliance on it, is prohibited and may be unlawful. Please notify
> the sender immediately. We also would like to inform you that communication
> via e-mail over the internet is insecure because third parties may have the
> possibility to access and manipulate e-mails.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list