[Samba] Winbind / Samba auth problem after username change

Julian Zielke jzielke at next-level-integration.com
Wed Sep 7 11:20:54 UTC 2016


- It really ends in local. So I guess I can leave this one.
- I've corrected the double entry in nsswitch.conf

The command returns:
# getent passwd | grep ren_test
ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash

What I copied into the message before was our object directly from the DC.
I thought you said "ldapsearch", not ldbsearch ;-)

Well here's the ldbsearch result (hopefully I did it the right way):
# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local' -s sub '(&(samAccountType=805306368)(samaccountname=ren_test))'
# returned 0 records
# 0 entries
# 0 referrals

Even when I do it without any subcommand it returns 0 records:
ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local'
# returned 0 records
# 0 entries
# 0 referrals

Dunno whether this now points to an error in my configuration or not.

Cheers,
Julian


> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
> Rowland Penny via samba
> Gesendet: Mittwoch, 7. September 2016 12:05
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Winbind / Samba auth problem after username change
>
>
> See inline comments.
>
> On Wed, 7 Sep 2016 09:12:35 +0000
> Julian Zielke <jzielke at next-level-integration.com> wrote:
>
> >
> >
> >
> > smb.conf:
> >
>
> Can you try this smb.conf:
>
> [global]
> workgroup = MYDOMAIN
> realm = MYDOMAIN.local
> netbios name = vmu09tcse01
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = Samba AD Client Version %v
> security = ads
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind refresh tickets = Yes
> template shell = /bin/bash
> domain master = no
> local master = no
> preferred master = no
>
> # Default idmap config used for BUILTIN and local windows
> accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain MYDOMAIN
> idmap config MYDOMAIN:backend = rid
> idmap config MYDOMAIN:range = 10000-99999
>
> # For ACL support on domain member
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> If your dns domain really does end in '.local', then I suggest you turn
> off AVAHI if it is running.
>
> >
> >
> > nsswitch.conf:
> >
> > # /etc/nsswitch.conf
> >
>
> You have this line twice:
>
> group: compat winbind
>
>
> >
> >
> > Sanitized version of user object:
> >
>
> Sorry, I cannot really understand this, I expected you to run something like
> this on the DC:
>
> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'dc=samdom,dc=example,dc=com' -s sub
> '(&(samAccountType=805306368)(samaccountname=rowland))'
>
> Which would have returned something like this
>
> # record 1
> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> cn: Rowland Penny
> sn: Penny
> givenName: Rowland
> instanceType: 4
> whenCreated: 20151109093821.0Z
> displayName: Rowland Penny
> uSNCreated: 3871
> name: Rowland Penny
> objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
> logonCount: 0
> sAMAccountName: rowland
> sAMAccountType: 805306368
> userPrincipalName: rowland at samdom.example.com
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
>  om
> pwdLastSet: 130915355010000000
> unixUserPassword: ABCD!efgh12345$67890
> uid: rowland
> msSFU30Name: rowland
> msSFU30NisDomain: samdom
> uidNumber: 10000
> unixHomeDirectory: /home/rowland
> loginShell: /bin/bash
> userAccountControl: 66048
> accountExpires: 0
> gidNumber: 10000
> gecos: Rowland Penny
> memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
> homeDrive: H:
> homeDirectory: \\DC2\home\rowland
> objectClass: top
> objectClass: posixAccount
> objectClass: securityPrincipal
> objectClass: person
> objectClass: systemQuotas
> objectClass: organizationalPerson
> objectClass: user
> description: A Unix user
> lastLogonTimestamp: 131172747410094140
> whenChanged: 20160902072541.0Z
> uSNChanged: 294249
> lastLogon: 131177043474577810
> distinguishedName: CN=Rowland
> Penny,CN=Users,DC=samdom,DC=example,DC=com
>
> You could then have changed anything in that you don't want the list to
> see.
>
> >
> > BTW: when I do
> >
> > # getent passwd | grep ren_test4
> >
> >
> >
> > I get:
> >
> >
> ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/
> bash
> >
> >
> >
> > but when I do: getent passwd ren_test4
> >
> >
> ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/
> bash
> >
>
> Now that is interesting, what does 'getent passwd | grep ren_test'
> return ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.


More information about the samba mailing list