[Samba] Winbind / Samba auth problem after username change
L.P.H. van Belle
belle at bazuin.nl
Wed Sep 7 14:34:36 UTC 2016
No tls setup in samba?
Host/ip in dns is checked?
Resolv.conf is pointed to the AD DC with FSMO roles?
And you tried recreating the krb5.keytab if is not recreated?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Julian Zielke [mailto:jzielke at next-level-integration.com]
> Verzonden: woensdag 7 september 2016 16:31
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: AW: [Samba] Winbind / Samba auth problem after username change
>
> Tried that too. Now when joining the domain I get:
>
> gss_init_sec_context failed with [ Miscellaneous failure (see text):
> Server (krbtgt/LOCAL at NLI.LOCAL) unknown]
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal
> error occurred.
> Failed to join domain: failed to connect to AD: An internal error
> occurred.
>
>
>
> > -----Ursprüngliche Nachricht-----
> > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H.
> > van Belle via samba
> > Gesendet: Mittwoch, 7. September 2016 16:03
> > An: samba at lists.samba.org
> > Betreff: Re: [Samba] Winbind / Samba auth problem after username change
> >
> > I would suggest.
> >
> > Stop samba and winbind
> >
> > Backup
> > /etc/krb5.keytab
> > /var/lib/samba
> > /var/cache/samba
> >
> > Remove everything in :
> > /var/lib/samba
> > /var/cache/samba
> > And remove :
> > /etc/krb5.keytab
> >
> >
> > Put in this config ( from Rowlands suggestion. )
> > Can you try this smb.conf:
> >
> > [global]
> > workgroup = MYDOMAIN
> > realm = MYDOMAIN.local
> > netbios name = vmu09tcse01
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > server string = Samba AD Client Version %v
> > security = ads
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> > winbind refresh tickets = Yes
> > template shell = /bin/bash
> > domain master = no
> > local master = no
> > preferred master = no
> >
> > # Default idmap config used for BUILTIN and local windows
> > accounts/groups
> > idmap config *:backend = tdb
> > idmap config *:range = 2000-9999
> >
> > # idmap config for domain MYDOMAIN
> > idmap config MYDOMAIN:backend = rid
> > idmap config MYDOMAIN:range = 10000-99999
> >
> > # For ACL support on domain member
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> >
> >
> >
> > Join the domain again.
> >
> > Test again.
> >
> > Greetz,
> >
> > Louis
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Julian Zielke
> > via
> > > samba
> > > Verzonden: woensdag 7 september 2016 15:52
> > > Aan: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] Winbind / Samba auth problem after username
> > change
> > >
> > > BTW I just tried the getent command again and it gets even weirder:
> > >
> > >
> > >
> > > # getent passwd ren_test4
> > >
> > > ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash
> > >
> > >
> > >
> > > then did another getent after a couple of seconds:
> > >
> > >
> > >
> > > # getent passwd ren_test4
> > >
> > > ren_test3:*:12521:10513:ren_test3:/home/NLI.LOCAL/ren_test3:/bin/bash
> > >
> > >
> > >
> > > This is...well..I have no damn clue XD
> > >
> > >
> > >
> > > > -----Ursprüngliche Nachricht-----
> > >
> > > > Von: Julian Zielke
> > >
> > > > Gesendet: Mittwoch, 7. September 2016 15:19
> > >
> > > > An: 'samba at lists.samba.org' <samba at lists.samba.org>
> > >
> > > > Betreff: WG: [Samba] Winbind / Samba auth problem after username
> > change
> > >
> > > >
> > >
> > > > I just did a cp -p *.ldb to a backup directory and restarted the
> > > services.
> > >
> > > > Of course I didn't delete it since I don't know whether this action
> > > would be
> > >
> > > > fatal.
> > >
> > > >
> > >
> > > >
> > >
> > > > > > -----Ursprüngliche Nachricht-----
> > >
> > > > > > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von
> > >
> > > > > > Rowland Penny via samba
> > >
> > > > > > Gesendet: Mittwoch, 7. September 2016 15:10
> > >
> > > > > > An: samba at lists.samba.org<mailto:samba at lists.samba.org>
> > >
> > > > > > Betreff: Re: [Samba] Winbind / Samba auth problem after username
> > >
> > > > > change
> > >
> > > > > >
> > >
> > > > > > On Wed, 7 Sep 2016 12:46:39 +0000
> > >
> > > > > > Julian Zielke <jzielke at next-level-
> > > integration.com<mailto:jzielke at next-level-integration.com>> wrote:
> > >
> > > > > >
> > >
> > > > > > > Btw, before it looked like this:
> > >
> > > > > > >
> > >
> > > > > > > # ll
> > >
> > > > > > > total 7148
> > >
> > > > > > > drwxr-xr-x 2 root root 4096 Sep 7 14:36 ./
> > >
> > > > > > > drwxr-xr-x 7 root root 4096 Sep 7 14:38 ../
> > >
> > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 14:34
> DC=NLI,DC=LOCAL.ldb
> > >
> > > > > > > -rw------- 1 root root 24576 Sep 7 13:11
> netlogon_creds_cli.tdb
> > >
> > > > > > > -rw------- 1 root root 421888 Sep 7 13:09 passdb.tdb
> > >
> > > > > > > -rw------- 1 root root 696 Jan 19 2016 randseed.tdb
> > >
> > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 13:08 sam.ldb
> > >
> > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 14:29
> sam.ldbobjectClass=*
> > >
> > > > > > > -rw------- 1 root root 1286144 Sep 7 10:50 secrets.ldb
> > >
> > > > > > > -rw------- 1 root root 430080 Sep 4 10:06 secrets.tdb
> > >
> > > > > > > -rw-r--r-- 1 root root 1286144 Sep 7 13:09 *-tdb
> > >
> > > > > > >
> > >
> > > > > > >
> > >
> > > > > > >
> > >
> > > > > > > Von: Julian Zielke
> > >
> > > > > > > Gesendet: Mittwoch, 7. September 2016 14:41
> > >
> > > > > > > An: 'Rowland Penny'
> > <rpenny at samba.org<mailto:rpenny at samba.org>>
> > >
> > > > > > > Cc: samba at lists.samba.org<mailto:samba at lists.samba.org>
> > >
> > > > > > > Betreff: AW: [Samba] Winbind / Samba auth problem after
> > username
> > >
> > > > > > > change
> > >
> > > > > > >
> > >
> > > > > > >
> > >
> > > > > > > Well, I always get 0 results, whether using cn, full username,
> > >
> > > > > > > wildcards, another existing and working user etc.
> > >
> > > > > > >
> > >
> > > > > > >
> > >
> > > > > > >
> > >
> > > > > > > # cat /etc/passwd | grep 'ren_test'
> > >
> > > > > > >
> > >
> > > > > > > returns nothing
> > >
> > > > > > >
> > >
> > > > > > >
> > >
> > > > > > >
> > >
> > > > > > > # wbinfo -u | grep 'ren_test'
> > >
> > > > > > >
> > >
> > > > > > > returns: ren_test4
> > >
> > > > > > >
> > >
> > > > > > >
> > >
> > > > > > >
> > >
> > > > > > > I also created a backup of all those ldb files and restarted
> the
> > >
> > > > > > > samba service. Now there's no new sam.ldb but a file looking
> > > similar
> > >
> > > > > > > to it.
> > >
> > > > > > >
> > >
> > > > > >
> > >
> > > > > > How are you backing up the ldb files ?
> > >
> > > > > > Once you have you backed up sam.ldb, are you deleting it ?
> > >
> > > > > >
> > >
> > > > > > Rowland
> > >
> > > > > >
> > >
> > > > > > --
> > >
> > > > > > To unsubscribe from this list go to the following URL and read
> the
> > >
> > > > > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > > Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und
> > > ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie
> nicht
> > > der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein
> > sollten,
> > > so beachten Sie bitte, dass jede Form der Kenntnisnahme,
> > Veröffentlichung,
> > > Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig
> ist.
> > > Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in
> > > Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass
> > die
> > > Kommunikation per E-Mail über das Internet unsicher ist, da für
> > > unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme
> und
> > > Manipulation besteht
> > >
> > > Important Note: The information contained in this e-mail is
> confidential.
> > > It is intended solely for the addressee. Access to this e-mail by
> anyone
> > > else is unauthorized. If you are not the intended recipient, any form
> of
> > > disclosure, reproduction, distribution or any action taken or
> refrained
> > > from in reliance on it, is prohibited and may be unlawful. Please
> notify
> > > the sender immediately. We also would like to inform you that
> > > communication via e-mail over the internet is insecure because third
> > > parties may have the possibility to access and manipulate e-mails.
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und
> ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht
> der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten,
> so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung,
> Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist.
> Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in
> Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die
> Kommunikation per E-Mail über das Internet unsicher ist, da für
> unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und
> Manipulation besteht
>
> Important Note: The information contained in this e-mail is confidential.
> It is intended solely for the addressee. Access to this e-mail by anyone
> else is unauthorized. If you are not the intended recipient, any form of
> disclosure, reproduction, distribution or any action taken or refrained
> from in reliance on it, is prohibited and may be unlawful. Please notify
> the sender immediately. We also would like to inform you that
> communication via e-mail over the internet is insecure because third
> parties may have the possibility to access and manipulate e-mails.
More information about the samba
mailing list