[Samba] Winbind / Samba auth problem after username change

Wed Sep 7 09:54:44 UTC 2016

Could you please post the full output of the following command:

ldbsearch -H /var/lib/samba/private/sam.ldb cn=ren_test*

Replacing /var/lib/samba/private/sam.ldb by the real path to sam.ldb

2016-09-07 11:12 GMT+02:00 Julian Zielke via samba <samba at lists.samba.org>:

> Good Morning Rowland,
>
>
>
>
>
> oh well, the bad side of the Internet... well the samba stuff was
> implemented by a former co-worker so I've to get into everything he did.
>
> Here’s the information you’ve requested, additionally with my config files
> I know changed based on the samba wiki:
>
>
>
> smb.conf:
>
> cat /etc/samba/smb.conf
>
> [global]
>
> workgroup = MYDOMAIN
>
> realm = MYDOMAIN.local
>
> netbios name = vmu09tcse01
>
> server string = Samba AD Client Version %v
>
> security = ads
>
> password server = DC03, DC04, DC01, DC02, *
>
> server role = standalone server
>
> idmap uid = 10000-20000
>
> idmap gid = 10000-20000
>
> winbind nss info = template
>
> winbind enum users = yes
>
> winbind enum groups = yes
>
> winbind cache time = 10
>
> winbind use default domain = yes
>
> template homedir = /home/MYDOMAIN.LOCAL/%U
>
> template shell = /bin/bash
>
> client use spnego = yes
>
> client ntlmv2 auth = yes
>
> encrypt passwords = yes
>
> restrict anonymous = 2
>
> domain master = no
>
> local master = no
>
> preferred master = no
>
> os level = 0
>
>
>
> # Default idmap config used for BUILTIN and local windows accounts/groups
>
> idmap config *:backend = tdb
>
> idmap config *:range = 2000-9999
>
>
>
> # idmap config for domain MYDOMAIN
>
> idmap config MYDOMAIN:backend = rid
>
> idmap config MYDOMAIN:range = 10000-99999
>
>
>
> nsswitch.conf:
>
> # /etc/nsswitch.conf
>
> #
>
> # Example configuration of GNU Name Service Switch functionality.
>
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
>
> # `info libc "Name Service Switch"' for information about this file.
>
>
>
> passwd: compat winbind
>
> group: compat winbind
>
> shadow:         compat
>
>
>
> hosts: files dns mdns4
>
> networks:       files
>
>
>
> protocols:      db files
>
> services:       db files
>
> ethers:         db files
>
> rpc:            db files
>
>
>
> group: compat winbind
>
>
>
> Sanitized version of user object:
>
> user (strukturell)
>
> organizationalPerson (strukturell)
>
> person (strukturell)
>
> top (abstrakt)
>
> ren_test4
>
> 4
>
> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>
> 14.09.30828 04:48:05 MESZ (9223372036854775807)
>
> 0
>
> 0
>
> User Rename Test
>
> ren_test4
>
> CN=ren_test4,OU=agroup,OU=team1,OU=user,OU=integration,DC=domain,DC=local
>
> ren_test4
>
> CN=g_blau_alle,OU=agroup,OU=team1,OU=user,OU=department,DC=domain,DC=local
>
> ren_test4
>
> {78ccfb30-fd1e-43bb-be3f-3a784e296d63}
>
> S-1-5-21-291884467-1407662076-1109738395-2521
>
> 513
>
> 05.09.2016 16:28:18 MESZ (131175592980000000)
>
> ren_test4
>
> 805306368
>
> 66048
>
> ren_test4 at domain.local
>
> 67386
>
> 67033
>
> 06.09.2016 15:48:37 MESZ (20160906134837.0Z)
>
> 05.09.2016 16:28:16 MESZ (20160905142816.0Z)
>
>
>
> BTW: when I do
>
> # getent passwd | grep ren_test4
>
>
>
> I get:
>
> ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/bash
>
>
>
> but when I do: getent passwd ren_test4
>
> ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/bash
>
>
>
> WTF??
>
>
> Cheers,
>
> Julian
>
>
>
> > -----Ursprüngliche Nachricht-----
>
> > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
>
> > Rowland Penny via samba
>
> > Gesendet: Dienstag, 6. September 2016 18:34
>
> > An: samba at lists.samba.org
>
> > Betreff: Re: [Samba] Winbind / Samba auth problem after username change
>
> >
>
> > On Tue, 6 Sep 2016 16:13:47 +0000
>
> > Julian Zielke <jzielke at next-level-integration.com<mailto:jzielke
> @next-level-integration.com>> wrote:
>
> >
>
> > > BTW I noticed that most configs use the wildcard parameter. So the
>
> > > smb.conf now uses:
>
> > >
>
> > > idmap config * : backend = rid
>
> > > idmap config * : range = 16777216-33554431
>
> > >
>
> > > But still no change... I really wonder where this old username is
>
> > > coming from...
>
> > >
>
> >
>
> > No, the '*' range is meant for BUILTIN and local windows users, Please
>
> > only refer to the Samba wiki for info, there is some terrible dross out
>
> > there on the internet.
>
> >
>
> > Can you please post a sanitized version of the users object in AD,
>
> > perhaps this will highlight something.
>
> >
>
> > Rowland
>
> >
>
> > --
>
> > To unsubscribe from this list go to the following URL and read the
>
> > instructions:  https://lists.samba.org/mailman/options/samba
>
> Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und
> ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der
> vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so
> beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung,
> Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist.
> Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in
> Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die
> Kommunikation per E-Mail über das Internet unsicher ist, da für
> unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und
> Manipulation besteht
>
> Important Note: The information contained in this e-mail is confidential.
> It is intended solely for the addressee. Access to this e-mail by anyone
> else is unauthorized. If you are not the intended recipient, any form of
> disclosure, reproduction, distribution or any action taken or refrained
> from in reliance on it, is prohibited and may be unlawful. Please notify
> the sender immediately. We also would like to inform you that communication
> via e-mail over the internet is insecure because third parties may have the
> possibility to access and manipulate e-mails.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>