[Samba] Winbind / Samba auth problem after username change

Tue Sep 6 11:55:25 UTC 2016

On Tue, 6 Sep 2016 11:41:59 +0000
Julian Zielke via samba <samba at lists.samba.org> wrote:

> OK I think I got some more information for you guys. I just did
> “getent passwd <NEWusername>” and got: <OLD
> username>:*:<ID>:<ID2>::/home/…/<OLD username>:/bin/bash.
> 
> When I do “su - <NEW username>” I get a valid shell with notification
> “No directory, logging in with HOME=/”. When I do the same with the
> OLD username I get “No passwd entry for user '<OLD username>'”.
> 
> It’s like the new name is the only valid one but still has a hardlink
> to the old one… really weird…
> 
> 
> Von: mathias dufresne [mailto:infractory at gmail.com]
> Gesendet: Dienstag, 6. September 2016 13:30
> An: Rowland Penny <rpenny at samba.org>
> Cc: samba <samba at lists.samba.org>; Julian Zielke
> <jzielke at next-level-integration.com> Betreff: Re: [Samba] Winbind /
> Samba auth problem after username change
> 
> Hum...
> All users are OK except the one(s) you changed there names. No other
> modification in configuration, all others users are working well. Is
> that true? This broken user is correctly shown using "getent passwd
> <NEW username>"? Is that true?
> 
> Can you use that user on system side, I would try, as root, "su -
> <NEW username>". This last test is to verify all is well configured
> about that user with new name. If it complains about missing home
> directory or anything else, that could be the cause SSH refuse to let
> that user connect on the system.
> 
> 
> 
> 2016-09-06 11:36 GMT+02:00 Rowland Penny via samba
> <samba at lists.samba.org<mailto:samba at lists.samba.org>>: On Tue, 6 Sep
> 2016 09:15:09 +0000 Julian Zielke via samba
> <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote:
> 
> > Hi Mathias,
> >
> > thanks for your advice on how to use getent. However you’re
> > mentioning SSSD which is working fine. I was referring to it because
> > we changed to that method lately but the server having the problem
> > is NOT using this new method but the old winbind+samba combination.
> >
> > Sorry it it was confusing.
> >
> > Cheers,
> > Julian
> 
> If you are using a fairly recent version of sssd, you are using a
> version of a Samba winbind lib, so just changing to sssd shouldn't
> give problems.
> 
> First and foremost, all your users & groups are stored in AD as
> windows users & groups i.e. they have a SID-RID
> So if you change a login name, it shouldn't affect anything else, so
> when I asked how you changed the login name, perhaps I should have
> asked, what did you change ?
> 
> Rowland
> 

As you don't seem to want to answer my question, I will tell you what I
think is going on.

lets take a user called 'Test User' who is a member of a group called
'A Group', if you examine their object in AD, You will find something
like this:

user cn=Test User,CN=Users,DC=samdom,DC=example,DC=com
samaccountname: test
........
memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com

If you also examine the groups object:

dn: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com
.......
member: CN=Test User,CN=Users,DC=samdom,DC=example,DC=com

If you now change 'Test Users' name to 'Someone Else', you will also change
various other things:

user cn=Someone Else,CN=Users,DC=samdom,DC=example,DC=com
samaccountname: someone
........
memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com

But I do not think you will change the 'member' line in the groups object, 
it will still refer to 'Test User', who doesn't exist any more.
This means that 'Someone Else' isn't a member of 'A Group', even though
the users object contains a 'memberOf' attribute that says they are.

Is this what is going on in your AD ???

Rowland