[Samba] Winbind / Samba auth problem after username change

Julian Zielke jzielke at next-level-integration.com
Wed Sep 7 09:12:35 UTC 2016 

Good Morning Rowland,





oh well, the bad side of the Internet... well the samba stuff was implemented by a former co-worker so I've to get into everything he did.

Here’s the information you’ve requested, additionally with my config files I know changed based on the samba wiki:



smb.conf:

cat /etc/samba/smb.conf

[global]

workgroup = MYDOMAIN

realm = MYDOMAIN.local

netbios name = vmu09tcse01

server string = Samba AD Client Version %v

security = ads

password server = DC03, DC04, DC01, DC02, *

server role = standalone server

idmap uid = 10000-20000

idmap gid = 10000-20000

winbind nss info = template

winbind enum users = yes

winbind enum groups = yes

winbind cache time = 10

winbind use default domain = yes

template homedir = /home/MYDOMAIN.LOCAL/%U

template shell = /bin/bash

client use spnego = yes

client ntlmv2 auth = yes

encrypt passwords = yes

restrict anonymous = 2

domain master = no

local master = no

preferred master = no

os level = 0



# Default idmap config used for BUILTIN and local windows accounts/groups

idmap config *:backend = tdb

idmap config *:range = 2000-9999



# idmap config for domain MYDOMAIN

idmap config MYDOMAIN:backend = rid

idmap config MYDOMAIN:range = 10000-99999



nsswitch.conf:

# /etc/nsswitch.conf

#

# Example configuration of GNU Name Service Switch functionality.

# If you have the `glibc-doc-reference' and `info' packages installed, try:

# `info libc "Name Service Switch"' for information about this file.



passwd: compat winbind

group: compat winbind

shadow:         compat



hosts: files dns mdns4

networks:       files



protocols:      db files

services:       db files

ethers:         db files

rpc:            db files



group: compat winbind



Sanitized version of user object:

user (strukturell)

organizationalPerson (strukturell)

person (strukturell)

top (abstrakt)

ren_test4

4

CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local

14.09.30828 04:48:05 MESZ (9223372036854775807)

0

0

User Rename Test

ren_test4

CN=ren_test4,OU=agroup,OU=team1,OU=user,OU=integration,DC=domain,DC=local

ren_test4

CN=g_blau_alle,OU=agroup,OU=team1,OU=user,OU=department,DC=domain,DC=local

ren_test4

{78ccfb30-fd1e-43bb-be3f-3a784e296d63}

S-1-5-21-291884467-1407662076-1109738395-2521

513

05.09.2016 16:28:18 MESZ (131175592980000000)

ren_test4

805306368

66048

ren_test4 at domain.local

67386

67033

06.09.2016 15:48:37 MESZ (20160906134837.0Z)

05.09.2016 16:28:16 MESZ (20160905142816.0Z)



BTW: when I do

# getent passwd | grep ren_test4



I get:

ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/bash



but when I do: getent passwd ren_test4

ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/bash



WTF??


Cheers,

Julian



> -----Ursprüngliche Nachricht-----

> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von

> Rowland Penny via samba

> Gesendet: Dienstag, 6. September 2016 18:34

> An: samba at lists.samba.org

> Betreff: Re: [Samba] Winbind / Samba auth problem after username change

>

> On Tue, 6 Sep 2016 16:13:47 +0000

> Julian Zielke <jzielke at next-level-integration.com<mailto:jzielke at next-level-integration.com>> wrote:

>

> > BTW I noticed that most configs use the wildcard parameter. So the

> > smb.conf now uses:

> >

> > idmap config * : backend = rid

> > idmap config * : range = 16777216-33554431

> >

> > But still no change... I really wonder where this old username is

> > coming from...

> >

>

> No, the '*' range is meant for BUILTIN and local windows users, Please

> only refer to the Samba wiki for info, there is some terrible dross out

> there on the internet.

>

> Can you please post a sanitized version of the users object in AD,

> perhaps this will highlight something.

>

> Rowland

>

> --

> To unsubscribe from this list go to the following URL and read the

> instructions:  https://lists.samba.org/mailman/options/samba

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

More information about the samba mailing list