[Samba] Winbind / Samba auth problem after username change

Rowland Penny rpenny at samba.org
Wed Sep 7 10:05:03 UTC 2016 

See inline comments.

On Wed, 7 Sep 2016 09:12:35 +0000
Julian Zielke <jzielke at next-level-integration.com> wrote:

> 
> 
> 
> smb.conf:
> 

Can you try this smb.conf:

[global]
	workgroup = MYDOMAIN
	realm = MYDOMAIN.local
	netbios name = vmu09tcse01
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	server string = Samba AD Client Version %v
	security = ads
	winbind enum users = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind refresh tickets = Yes
	template shell = /bin/bash
	domain master = no
	local master = no
	preferred master = no

	# Default idmap config used for BUILTIN and local windows accounts/groups
	idmap config *:backend = tdb
	idmap config *:range = 2000-9999

	# idmap config for domain MYDOMAIN
	idmap config MYDOMAIN:backend = rid
	idmap config MYDOMAIN:range = 10000-99999

	# For ACL support on domain member
	vfs objects = acl_xattr
	map acl inherit = Yes
	store dos attributes = Yes

If your dns domain really does end in '.local', then I suggest you turn
off AVAHI if it is running.

> 
> 
> nsswitch.conf:
> 
> # /etc/nsswitch.conf
> 

You have this line twice:

group: compat winbind


> 
> 
> Sanitized version of user object:
> 

Sorry, I cannot really understand this, I expected you to run something like this on the DC:

ldbsearch -H /usr/local/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(samAccountType=805306368)(samaccountname=rowland))'

Which would have returned something like this

# record 1
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
cn: Rowland Penny
sn: Penny
givenName: Rowland
instanceType: 4
whenCreated: 20151109093821.0Z
displayName: Rowland Penny
uSNCreated: 3871
name: Rowland Penny
objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
logonCount: 0
sAMAccountName: rowland
sAMAccountType: 805306368
userPrincipalName: rowland at samdom.example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
 om
pwdLastSet: 130915355010000000
unixUserPassword: ABCD!efgh12345$67890
uid: rowland
msSFU30Name: rowland
msSFU30NisDomain: samdom
uidNumber: 10000
unixHomeDirectory: /home/rowland
loginShell: /bin/bash
userAccountControl: 66048
accountExpires: 0
gidNumber: 10000
gecos: Rowland Penny
memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
homeDrive: H:
homeDirectory: \\DC2\home\rowland
objectClass: top
objectClass: posixAccount
objectClass: securityPrincipal
objectClass: person
objectClass: systemQuotas
objectClass: organizationalPerson
objectClass: user
description: A Unix user
lastLogonTimestamp: 131172747410094140
whenChanged: 20160902072541.0Z
uSNChanged: 294249
lastLogon: 131177043474577810
distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com

You could then have changed anything in that you don't want the list to
see.

> 
> BTW: when I do
> 
> # getent passwd | grep ren_test4
> 
> 
> 
> I get:
> 
> ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/bash
> 
> 
> 
> but when I do: getent passwd ren_test4
> 
> ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/bash
> 

Now that is interesting, what does 'getent passwd | grep ren_test'
return ?

Rowland

More information about the samba mailing list