[Samba] Winbind / Samba auth problem after username change

[Julian Zielke via samba]

Hi,

before we switched to SSSD we've been implementing the ssh authentication method via Domain using winbind+samba.
Version installed on our machines is (still) 2:4.1.6+dfsg-1ubuntu2.14.04.13. So far everything has been working fine, however
after we had to change a user's logon name in the domain he can't login anymore. auth.log shows still his old username followed by "from <IP> not allowed because none of user's groups are listed in AllowGroups". I searched several websites for a solution but only found recommendations on deleting
the winbind cache at /var/lib/samba. However this didn't fix the problem. When I do a grep using getent passwd on the users NEW name, it shows up.
So actually the domain controllers is delivering the correct username.

Is this a known bug in version 4.1.6 or can I solve this any other way without running a package upgrade on a production machine?

Cheers
Julian

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschlie?lich f?r den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Ver?ffentlichung, Vervielf?ltigung oder Weitergabe des Inhalts dieser E-Mail unzul?ssig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir m?chten Sie au?erdem darauf hinweisen, dass die Kommunikation per E-Mail ?ber das Internet unsicher ist, da f?r unberechtigte Dritte grunds?tzlich die M?glichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny via samba]

On Tue, 6 Sep 2016 08:17:12 +0000
Julian Zielke via samba <sa...@lists.samba.org> wrote:

> Hi,
>
> before we switched to SSSD we've been implementing the ssh
> authentication method via Domain using winbind+samba. Version
> installed on our machines is (still) 2:4.1.6+dfsg-1ubuntu2.14.04.13.
> So far everything has been working fine, however after we had to
> change a user's logon name in the domain he can't login anymore.
> auth.log shows still his old username followed by "from <IP> not
> allowed because none of user's groups are listed in AllowGroups". I
> searched several websites for a solution but only found
> recommendations on deleting the winbind cache at /var/lib/samba.
> However this didn't fix the problem. When I do a grep using getent
> passwd on the users NEW name, it shows up. So actually the domain
> controllers is delivering the correct username.
>
> Is this a known bug in version 4.1.6 or can I solve this any other
> way without running a package upgrade on a production machine?
>
> Cheers
> Julian
>

How did you change the users logon name ?
Have you checked the users object in AD ?

Rowland

[mathias dufresne via samba]

Hi,

You had a working environment using Winbind to retrieve user from AD.
You had to change that and now you have replaced Winbind by SSSD.
You changed some user names, those can't login any more.

When using "getent passwd | grep <username>" you have response.

A small note: rather than "getent passwd | grep <username>" which is
resource consuming you can do "getent passwd <username>". You ask here for
one user only which needs less resources, you should have one line as a
response.

For me your configuration is almost good, at least for the part which is
responsible to retrieve users from the domain.

It seems you are lacking some configuration to tell SSSD which group can
login (because of "not allowed because none of user's groups are listed in
AllowGroups").

Add some groups in "AllowGroups" or don't use that feature. That should let
your users log in.

Cheers,

M.

[Julian Zielke via samba]

Hi Rowland,

we're using the Windows mmc for administrating samba sernet DCs running samba-sernet-ad 4.2.11-9.
4 Domain controllers are present. Primary DC replicates to a second in our local office and to 2 others in a vpn connected network.
Changes are made on our primary dc always. DC 3 and 4 and the primary and secondary DC responsible for ssh authentication on our linux boxes
having the problem.

Cheers,
Julian

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von Rowland Penny via samba
Gesendet: Dienstag, 6. September 2016 10:31
An: sa...@lists.samba.org
Betreff: Re: [Samba] Winbind / Samba auth problem after username change

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[mathias dufresne via samba]

My bad, it seems to be a ssh configuration:
http://askubuntu.com/questions/545058/ssh-allow-windows-ad-groupswith-special-charactors

[Julian Zielke via samba]

Hi Mathias,

thanks for your advice on how to use getent. However you’re mentioning SSSD which is working fine. I was referring to it because we changed to that method lately but the server having the problem is NOT using this new method but the old winbind+samba combination.

Sorry it it was confusing.

Cheers,
Julian

Von: mathias dufresne [mailto:infra...@gmail.com]
Gesendet: Dienstag, 6. September 2016 10:44
An: Julian Zielke <jzi...@next-level-integration.com<mailto:jzi...@next-level-integration.com>>
Cc: sa...@lists.samba.org<mailto:sa...@lists.samba.org>
Betreff: Re: [Samba] Winbind / Samba auth problem after username change

Hi,
You had a working environment using Winbind to retrieve user from AD.
You had to change that and now you have replaced Winbind by SSSD.
You changed some user names, those can't login any more.
When using "getent passwd | grep <username>" you have response.
A small note: rather than "getent passwd | grep <username>" which is resource consuming you can do "getent passwd <username>". You ask here for one user only which needs less resources, you should have one line as a response.
For me your configuration is almost good, at least for the part which is responsible to retrieve users from the domain.
It seems you are lacking some configuration to tell SSSD which group can login (because of "not allowed because none of user's groups are listed in AllowGroups").
Add some groups in "AllowGroups" or don't use that feature. That should let your users log in.
Cheers,
M.

2016-09-06 10:17 GMT+02:00 Julian Zielke via samba <sa...@lists.samba.org<mailto:sa...@lists.samba.org>>:

Hi,

before we switched to SSSD we've been implementing the ssh authentication method via Domain using winbind+samba.
Version installed on our machines is (still) 2:4.1.6+dfsg-1ubuntu2.14.04.13. So far everything has been working fine, however
after we had to change a user's logon name in the domain he can't login anymore. auth.log shows still his old username followed by "from <IP> not allowed because none of user's groups are listed in AllowGroups". I searched several websites for a solution but only found recommendations on deleting
the winbind cache at /var/lib/samba. However this didn't fix the problem. When I do a grep using getent passwd on the users NEW name, it shows up.
So actually the domain controllers is delivering the correct username.

Is this a known bug in version 4.1.6 or can I solve this any other way without running a package upgrade on a production machine?

Cheers
Julian

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschlie?lich f?r den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Ver?ffentlichung, Vervielf?ltigung oder Weitergabe des Inhalts dieser E-Mail unzul?ssig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir m?chten Sie au?erdem darauf hinweisen, dass die Kommunikation per E-Mail ?ber das Internet unsicher ist, da f?r unberechtigte Dritte grunds?tzlich die M?glichkeit der Kenntnisnahme und Manipulation besteht

[Julian Zielke via samba]

Hi Mathias,

well we’ve allowed the sshd to give access tot he group domain users. All other users are working fine so it shouldn’t be an error within sshd.conf..
The only difference is appearing in the auth.log where just for the user with the changed name the old username appears first, followed by some more lines (requesting password) for the new username. It’s like this: user tries to login with new username > sshd sends login to winbind/samba > winbind/samba somehow links this login to old username > auth.log show old username being not part of any group (of course, the user doesn’t exist with that name anymore).

I know every user in winbind is linked to a unique UID so maybe winbind looks up the same UID which the older user had but now the new username matching the same UID confuses the service. There must be some kind of cache because on another machine running the same authentication method the old username doesn’t show up (probably because the user never logged in there with his old name so the “cache” is clean).

Cheers,
Julian

Von: mathias dufresne [mailto:infra...@gmail.com]

Gesendet: Dienstag, 6. September 2016 11:05
An: Julian Zielke <jzi...@next-level-integration.com>
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] Winbind / Samba auth problem after username change

My bad, it seems to be a ssh configuration:
http://askubuntu.com/questions/545058/ssh-allow-windows-ad-groupswith-special-charactors

2016-09-06 10:46 GMT+02:00 Julian Zielke via samba <sa...@lists.samba.org<mailto:sa...@lists.samba.org>>:

Hi Rowland,

we're using the Windows mmc for administrating samba sernet DCs running samba-sernet-ad 4.2.11-9.
4 Domain controllers are present. Primary DC replicates to a second in our local office and to 2 others in a vpn connected network.
Changes are made on our primary dc always. DC 3 and 4 and the primary and secondary DC responsible for ssh authentication on our linux boxes
having the problem.

Cheers,
Julian

-----Ursprüngliche Nachricht-----

Von: samba [mailto:samba-...@lists.samba.org<mailto:samba-...@lists.samba.org>] Im Auftrag von Rowland Penny via samba

Gesendet: Dienstag, 6. September 2016 10:31

An: sa...@lists.samba.org<mailto:sa...@lists.samba.org>

[Rowland Penny via samba]

On Tue, 6 Sep 2016 09:15:09 +0000
Julian Zielke via samba <sa...@lists.samba.org> wrote:

> Hi Mathias,
>
> thanks for your advice on how to use getent. However you’re
> mentioning SSSD which is working fine. I was referring to it because
> we changed to that method lately but the server having the problem is
> NOT using this new method but the old winbind+samba combination.
>
> Sorry it it was confusing.
>
> Cheers,
> Julian

If you are using a fairly recent version of sssd, you are using a
version of a Samba winbind lib, so just changing to sssd shouldn't give
problems.

First and foremost, all your users & groups are stored in AD as windows
users & groups i.e. they have a SID-RID
So if you change a login name, it shouldn't affect anything else, so
when I asked how you changed the login name, perhaps I should have
asked, what did you change ?

Rowland

[mathias dufresne via samba]

Hum...

All users are OK except the one(s) you changed there names. No other
modification in configuration, all others users are working well.
Is that true?

This broken user is correctly shown using "getent passwd <NEW username>"?
Is that true?

Can you use that user on system side, I would try, as root, "su - <NEW
username>". This last test is to verify all is well configured about that
user with new name. If it complains about missing home directory or
anything else, that could be the cause SSH refuse to let that user connect
on the system.

[mathias dufresne via samba]

PS: Rowland questions are still relevant ;)

[Julian Zielke via samba]

OK I think I got some more information for you guys. I just did “getent passwd <NEWusername>” and got:
<OLD username>:*:<ID>:<ID2>::/home/…/<OLD username>:/bin/bash.

When I do “su - <NEW username>” I get a valid shell with notification “No directory, logging in with HOME=/”.
When I do the same with the OLD username I get “No passwd entry for user '<OLD username>'”.

It’s like the new name is the only valid one but still has a hardlink to the old one… really weird…

Von: mathias dufresne [mailto:infra...@gmail.com]
Gesendet: Dienstag, 6. September 2016 13:30
An: Rowland Penny <rpe...@samba.org>
Cc: samba <sa...@lists.samba.org>; Julian Zielke <jzi...@next-level-integration.com>
Betreff: Re: [Samba] Winbind / Samba auth problem after username change

Hum...
All users are OK except the one(s) you changed there names. No other modification in configuration, all others users are working well.
Is that true?
This broken user is correctly shown using "getent passwd <NEW username>"?
Is that true?

Can you use that user on system side, I would try, as root, "su - <NEW username>". This last test is to verify all is well configured about that user with new name. If it complains about missing home directory or anything else, that could be the cause SSH refuse to let that user connect on the system.

2016-09-06 11:36 GMT+02:00 Rowland Penny via samba <sa...@lists.samba.org<mailto:sa...@lists.samba.org>>:

On Tue, 6 Sep 2016 09:15:09 +0000
Julian Zielke via samba <sa...@lists.samba.org<mailto:sa...@lists.samba.org>> wrote:

> Hi Mathias,
>
> thanks for your advice on how to use getent. However you’re
> mentioning SSSD which is working fine. I was referring to it because
> we changed to that method lately but the server having the problem is
> NOT using this new method but the old winbind+samba combination.
>
> Sorry it it was confusing.
>
> Cheers,
> Julian

If you are using a fairly recent version of sssd, you are using a
version of a Samba winbind lib, so just changing to sssd shouldn't give
problems.

First and foremost, all your users & groups are stored in AD as windows
users & groups i.e. they have a SID-RID
So if you change a login name, it shouldn't affect anything else, so
when I asked how you changed the login name, perhaps I should have
asked, what did you change ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Julian Zielke via samba]

Mathias,

yes I did the flush whish was also shown in the tutorials I found on the net, right after deleting the cache files. Didn’t help either. :-/

Von: mathias dufresne [mailto:infra...@gmail.com]
Gesendet: Dienstag, 6. September 2016 13:33
An: Julian Zielke <jzi...@next-level-integration.com>
Betreff: Re: [Samba] Winbind / Samba auth problem after username change

Julian,
Last thing: did you tried "net cache list", "net cache flush"? It should be designed to show and flush id map...

2016-09-06 10:17 GMT+02:00 Julian Zielke via samba <sa...@lists.samba.org<mailto:sa...@lists.samba.org>>:

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

[Rowland Penny via samba]

As you don't seem to want to answer my question, I will tell you what I
think is going on.

lets take a user called 'Test User' who is a member of a group called
'A Group', if you examine their object in AD, You will find something
like this:

user cn=Test User,CN=Users,DC=samdom,DC=example,DC=com
samaccountname: test
........
memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com

If you also examine the groups object:

dn: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com
.......
member: CN=Test User,CN=Users,DC=samdom,DC=example,DC=com

If you now change 'Test Users' name to 'Someone Else', you will also change
various other things:

user cn=Someone Else,CN=Users,DC=samdom,DC=example,DC=com
samaccountname: someone
........
memberOf: CN=A Group,CN=Users,DC=samdom,DC=example,DC=com

But I do not think you will change the 'member' line in the groups object,
it will still refer to 'Test User', who doesn't exist any more.
This means that 'Someone Else' isn't a member of 'A Group', even though
the users object contains a 'memberOf' attribute that says they are.

Is this what is going on in your AD ???

[Julian Zielke via samba]

Well we've changed the logon name (SAMAccountName) and the Name and Surname of the user object.

-----Ursprüngliche Nachricht-----
Von: Rowland Penny [mailto:rpe...@samba.org]
Gesendet: Dienstag, 6. September 2016 11:37
An: sa...@lists.samba.org
Cc: Julian Zielke <jzi...@next-level-integration.com>

Betreff: Re: [Samba] Winbind / Samba auth problem after username change

On Tue, 6 Sep 2016 09:15:09 +0000
Julian Zielke via samba <sa...@lists.samba.org> wrote:

> Hi Mathias,
>
> thanks for your advice on how to use getent. However you’re mentioning
> SSSD which is working fine. I was referring to it because we changed
> to that method lately but the server having the problem is NOT using
> this new method but the old winbind+samba combination.
>
> Sorry it it was confusing.
>
> Cheers,
> Julian

If you are using a fairly recent version of sssd, you are using a version of a Samba winbind lib, so just changing to sssd shouldn't give problems.

First and foremost, all your users & groups are stored in AD as windows users & groups i.e. they have a SID-RID So if you change a login name, it shouldn't affect anything else, so when I asked how you changed the login name, perhaps I should have asked, what did you change ?

Rowland

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[mathias dufresne via samba]

I did tried to use ldapmodify to modify RDN (as CN is used for group
membership and also used to forge DN) and this change was reflected into
the group this belongs to.

As ldapmodify is external tool, as it works well with that external tool, I
would expect internal tools provided by Samba or MS are working well too.

Anyway Julian you should check if the change is reflected into groups.
You should also give us what is the LDAP attribute you changed. A user name
is not a unique notion into AD, CN is user name, as are sAMAccountName or
userPrincipalName, or also uid.

[mathias dufresne via samba]

sAMAccountName has no impact in group membership (which uses CN).

Perhaps the "net cache flush" has to be performed on DC too. I mean on all
ALL DC too. Could you try that?

[Julian Zielke via samba]

OK, I've used Apache Directory studio to examine your hint but the User object has the new name and the group the user is in had the users proper DN string.
So the change seems to be correct on the DCs part.

-----Ursprüngliche Nachricht-----
Von: Julian Zielke
Gesendet: Dienstag, 6. September 2016 14:19
An: 'Rowland Penny' <rpe...@samba.org>
Cc: sa...@lists.samba.org
Betreff: AW: [Samba] Winbind / Samba auth problem after username change

Huh? I did answer you on your question what we have changed:

-----Ursprüngliche Nachricht-----
Von: Julian Zielke
Gesendet: Dienstag, 6. September 2016 12:57
An: sa...@lists.samba.org
Betreff: AW: [Samba] Winbind / Samba auth problem after username change

Well we've changed the logon name (SAMAccountName) and the Name and Surname of the user object.

Or was there any other question I probably see by the amount of quotes?

Cheers,
Julian

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von Rowland Penny via samba
Gesendet: Dienstag, 6. September 2016 13:55
An: sa...@lists.samba.org

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Rowland Penny via samba]

On Tue, 6 Sep 2016 12:20:13 +0000
Julian Zielke <jzi...@next-level-integration.com> wrote:

> Huh? I did answer you on your question what we have changed:
>

Sorry about that, I have only just received that post (and they say
email is instant ;-)

Have you checked what I suggested ?

[Julian Zielke via samba]

Yes,

the change is reflected into groups. The user's DN has all the new information we entered. The group has a memberOf string with the same correct information.
A net cache flush on our DCs didn't help either. Since on another server using the same DCs and authentication mechanisms has no problems with the new name it's seems to be
a server-related issue and not a DC one.

- Julian

> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von

> mathias dufresne via samba
> Gesendet: Dienstag, 6. September 2016 14:43

> An: Rowland Penny <rpe...@samba.org>
> Cc: samba <sa...@lists.samba.org>

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Julian Zielke via samba]

Hey Mathias,

well we don't use ldapmodify. We use Windows machines for our domain administration and the build-in Windows Domain Administration tools which work
fine with samba sernet DCs. All we do is change the fields "logon name, name and surname" in the gui. So when I say SAMMAccountName I'm referring to the logon name
our windows machines are using too.

Cheers,

Julian

> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von
> mathias dufresne via samba

> Gesendet: Dienstag, 6. September 2016 14:43

> An: Rowland Penny <rpe...@samba.org>
> Cc: samba <sa...@lists.samba.org>

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Julian Zielke via samba]

Huh? I did answer you on your question what we have changed:

-----Ursprüngliche Nachricht-----
Von: Julian Zielke

Gesendet: Dienstag, 6. September 2016 12:57
An: sa...@lists.samba.org
Betreff: AW: [Samba] Winbind / Samba auth problem after username change

Well we've changed the logon name (SAMAccountName) and the Name and Surname of the user object.

Or was there any other question I probably see by the amount of quotes?

Cheers,
Julian

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von Rowland Penny via samba
Gesendet: Dienstag, 6. September 2016 13:55
An: sa...@lists.samba.org

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Julian Zielke via samba]

BTW, this is our smb.conf:

# Global parameters
[global]
workgroup = mydomain
realm = mydomain.local
netbios name = myhostname
server string = Samba AD Client Version %v
security = ads
password server = dc03, dc04, dc01, dc02, *
server role = standalone server

winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
winbind refresh tickets = Yes
winbind offline logon = true
winbind nested groups = yes

template shell = /bin/bash

idmap config * : range = 16777216-33554431
idmap config mydomain : backend = rid
idmap config mydomain : range = 16777216-33554431

log file = /var/log/samba/log.%m
max log size = 1000
printing = bsd
printcap name = /dev/null



> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von Julian
> Zielke via samba
> Gesendet: Dienstag, 6. September 2016 15:06
> An: mathias dufresne <infra...@gmail.com>; Rowland Penny
> <rpe...@samba.org>
> Cc: sa...@lists.samba.org

[Rowland Penny via samba]

On Tue, 6 Sep 2016 13:59:43 +0000
Julian Zielke via samba <sa...@lists.samba.org> wrote:

> BTW, this is our smb.conf:
>
> # Global parameters
> [global]
> workgroup = mydomain
> realm = mydomain.local
> netbios name = myhostname
> server string = Samba AD Client Version %v
> security = ads
> password server = dc03, dc04, dc01, dc02, *

You should let Samba find the password server, so I would change the
above to just 'password server = *', which is a default setting, so
you might as well delete the line.

> server role = standalone server

No, if you use 'security = ads' then it is 'server role = member server'

>
> winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = no

This is the default setting.

> winbind refresh tickets = Yes
> winbind offline logon = true
> winbind nested groups = yes
>
> template shell = /bin/bash
>
> idmap config * : range = 16777216-33554431
> idmap config mydomain : backend = rid
> idmap config mydomain : range = 16777216-33554431

And this is a no-no, the ranges must not overlap, never mind overlap,
yours are the same.

>
> log file = /var/log/samba/log.%m
> max log size = 1000
> printing = bsd
> printcap name = /dev/null
>
>
>

[Julian Zielke via samba]

OK, I've commented out that line, leaving only:

> idmap config mydomain : backend = rid
> idmap config mydomain : range = 16777216-33554431

in the config file.

Also I did a net cache flush and deleted the database files at /var/lib/samba. Still nothing...same old username when querying the new one using getent passwd.
I noticed the user having an ID of 4294967295 which exceeds the limit in the config file. Is this normal? Also I created a new domain user which could log in, changed the
name and the same happened.

> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von

> Rowland Penny via samba
> Gesendet: Dienstag, 6. September 2016 16:10
> An: sa...@lists.samba.org

> Betreff: Re: [Samba] Winbind / Samba auth problem after username change
>

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Rowland Penny via samba]

On Tue, 6 Sep 2016 14:56:20 +0000
Julian Zielke <jzi...@next-level-integration.com> wrote:

> OK, I've commented out that line, leaving only:
>
> > idmap config mydomain : backend = rid
> > idmap config mydomain : range = 16777216-33554431
>
> in the config file.
>
> Also I did a net cache flush and deleted the database files
> at /var/lib/samba. Still nothing...same old username when querying
> the new one using getent passwd. I noticed the user having an ID of
> 4294967295 which exceeds the limit in the config file. Is this
> normal? Also I created a new domain user which could log in, changed
> the name and the same happened.
>
>

So, 'getent passwd oldusername' produces a result, so where is it
coming from ?

Have you checked /etc/passwd ?

What is in the 'passwd' and 'group' lines in /etc/nsswitch.conf ?

You say that this computer is using winbind and not sssd, if so, can I
suggest you have a look here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

[Julian Zielke via samba]

No, getent NEWusername produces a result SHOWING the old username - not the other way around.
The machine is a domain member. We did a join using net join ads.

The passwords file has only the standard local users in there.

=================================================================
cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns mdns4
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

group: compat winbind
=================================================================

> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von
> Rowland Penny via samba

> Gesendet: Dienstag, 6. September 2016 17:08

> An: sa...@lists.samba.org
> Betreff: Re: [Samba] Winbind / Samba auth problem after username change
>

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Rowland Penny via samba]

On Tue, 6 Sep 2016 15:38:57 +0000
Julian Zielke <jzi...@next-level-integration.com> wrote:

> No, getent NEWusername produces a result SHOWING the old username -
> not the other way around. The machine is a domain member. We did a
> join using net join ads.

Where is it displaying the old username ?

>
> The passwords file has only the standard local users in there.

Well that rules that out.

>
> =================================================================
> cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for information
> about this file.
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
>
> hosts: files dns mdns4
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> group: compat winbind
> =================================================================
>

Why have you got two 'group' lines ? otherwise nothing wrong there.

Is there any chance you can post a sanitized version of the users
object in AD ?

[Julian Zielke via samba]

BTW I noticed that most configs use the wildcard parameter. So the smb.conf now uses:

idmap config * : backend = rid
idmap config * : range = 16777216-33554431

But still no change... I really wonder where this old username is coming from...

> -----Ursprüngliche Nachricht-----
> Von: Julian Zielke

> Gesendet: Dienstag, 6. September 2016 18:10
> An: 'Rowland Penny' <rpe...@samba.org>
> Cc: 'sa...@lists.samba.org' <sa...@lists.samba.org>
> Betreff: AW: [Samba] Winbind / Samba auth problem after username change
>
> Here:
>
> # getent passwd <domain>+<NEWusername>
> <domain>+<OLDusername>:*:16778566:16777729::/home/NLI/<OLDuserna
> me>:/bin/bash

>
>
> > -----Ursprüngliche Nachricht-----
> > Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von
> > Rowland Penny via samba

> > Gesendet: Dienstag, 6. September 2016 17:53

> > An: sa...@lists.samba.org
> > Betreff: Re: [Samba] Winbind / Samba auth problem after username
> change
> >

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Julian Zielke via samba]

Here:

# getent passwd <domain>+<NEWusername>
<domain>+<OLDusername>:*:16778566:16777729::/home/NLI/<OLDusername>:/bin/bash

> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von
> Rowland Penny via samba

> Gesendet: Dienstag, 6. September 2016 17:53

> An: sa...@lists.samba.org
> Betreff: Re: [Samba] Winbind / Samba auth problem after username change
>

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Rowland Penny via samba]

On Tue, 6 Sep 2016 16:13:47 +0000
Julian Zielke <jzi...@next-level-integration.com> wrote:

> BTW I noticed that most configs use the wildcard parameter. So the
> smb.conf now uses:
>
> idmap config * : backend = rid
> idmap config * : range = 16777216-33554431
>
> But still no change... I really wonder where this old username is
> coming from...
>

No, the '*' range is meant for BUILTIN and local windows users, Please
only refer to the Samba wiki for info, there is some terrible dross out
there on the internet.

Can you please post a sanitized version of the users object in AD,
perhaps this will highlight something.

[Julian Zielke via samba]

Good Morning Rowland,





oh well, the bad side of the Internet... well the samba stuff was implemented by a former co-worker so I've to get into everything he did.

Here’s the information you’ve requested, additionally with my config files I know changed based on the samba wiki:



smb.conf:

cat /etc/samba/smb.conf

[global]

workgroup = MYDOMAIN

realm = MYDOMAIN.local

netbios name = vmu09tcse01

server string = Samba AD Client Version %v

security = ads

password server = DC03, DC04, DC01, DC02, *

server role = standalone server

idmap uid = 10000-20000

idmap gid = 10000-20000

winbind nss info = template

winbind enum users = yes

winbind enum groups = yes

winbind cache time = 10

winbind use default domain = yes

template homedir = /home/MYDOMAIN.LOCAL/%U

template shell = /bin/bash

client use spnego = yes

client ntlmv2 auth = yes

encrypt passwords = yes

restrict anonymous = 2

domain master = no

local master = no

preferred master = no

os level = 0



# Default idmap config used for BUILTIN and local windows accounts/groups

idmap config *:backend = tdb

idmap config *:range = 2000-9999



# idmap config for domain MYDOMAIN

idmap config MYDOMAIN:backend = rid

idmap config MYDOMAIN:range = 10000-99999



nsswitch.conf:

# /etc/nsswitch.conf

#

# Example configuration of GNU Name Service Switch functionality.

# If you have the `glibc-doc-reference' and `info' packages installed, try:

# `info libc "Name Service Switch"' for information about this file.



passwd: compat winbind

group: compat winbind

shadow: compat



hosts: files dns mdns4

networks: files



protocols: db files

services: db files

ethers: db files

rpc: db files



group: compat winbind

Sanitized version of user object:

user (strukturell)

organizationalPerson (strukturell)

person (strukturell)

top (abstrakt)

ren_test4

4

CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local

14.09.30828 04:48:05 MESZ (9223372036854775807)


0


0

User Rename Test

ren_test4

CN=ren_test4,OU=agroup,OU=team1,OU=user,OU=integration,DC=domain,DC=local

ren_test4

CN=g_blau_alle,OU=agroup,OU=team1,OU=user,OU=department,DC=domain,DC=local

ren_test4

{78ccfb30-fd1e-43bb-be3f-3a784e296d63}

S-1-5-21-291884467-1407662076-1109738395-2521

513

05.09.2016 16:28:18 MESZ (131175592980000000)

ren_test4

805306368

66048

ren_...@domain.local

67386

67033

06.09.2016 15:48:37 MESZ (20160906134837.0Z)

05.09.2016 16:28:16 MESZ (20160905142816.0Z)



BTW: when I do

# getent passwd | grep ren_test4



I get:

ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/bash



but when I do: getent passwd ren_test4

ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/bash



WTF??


Cheers,

Julian

> -----Ursprüngliche Nachricht-----

> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von

> Rowland Penny via samba

> Gesendet: Dienstag, 6. September 2016 18:34

> An: sa...@lists.samba.org

> Betreff: Re: [Samba] Winbind / Samba auth problem after username change

>

> On Tue, 6 Sep 2016 16:13:47 +0000

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[mathias dufresne via samba]

Could you please post the full output of the following command:

ldbsearch -H /var/lib/samba/private/sam.ldb cn=ren_test*

Replacing /var/lib/samba/private/sam.ldb by the real path to sam.ldb

> > Julian Zielke <jzi...@next-level-integration.com<mailto:jzielke

[Rowland Penny via samba]

See inline comments.

On Wed, 7 Sep 2016 09:12:35 +0000
Julian Zielke <jzi...@next-level-integration.com> wrote:

>
>
>
> smb.conf:
>

Can you try this smb.conf:

[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.local
netbios name = vmu09tcse01

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

server string = Samba AD Client Version %v
security = ads

winbind enum users = yes
winbind enum groups = yes

winbind use default domain = yes

winbind refresh tickets = Yes

template shell = /bin/bash

domain master = no
local master = no
preferred master = no

# Default idmap config used for BUILTIN and local windows accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999

# idmap config for domain MYDOMAIN
idmap config MYDOMAIN:backend = rid
idmap config MYDOMAIN:range = 10000-99999

# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

If your dns domain really does end in '.local', then I suggest you turn
off AVAHI if it is running.

>
>
> nsswitch.conf:
>
> # /etc/nsswitch.conf
>

You have this line twice:

group: compat winbind


>
>
> Sanitized version of user object:
>

Sorry, I cannot really understand this, I expected you to run something like this on the DC:

ldbsearch -H /usr/local/samba/private/sam.ldb -b 'dc=samdom,dc=example,dc=com' -s sub '(&(samAccountType=805306368)(samaccountname=rowland))'

Which would have returned something like this

# record 1
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
cn: Rowland Penny
sn: Penny
givenName: Rowland
instanceType: 4
whenCreated: 20151109093821.0Z
displayName: Rowland Penny
uSNCreated: 3871
name: Rowland Penny
objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
logonCount: 0
sAMAccountName: rowland
sAMAccountType: 805306368
userPrincipalName: row...@samdom.example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
om
pwdLastSet: 130915355010000000
unixUserPassword: ABCD!efgh12345$67890
uid: rowland
msSFU30Name: rowland
msSFU30NisDomain: samdom
uidNumber: 10000
unixHomeDirectory: /home/rowland
loginShell: /bin/bash
userAccountControl: 66048
accountExpires: 0
gidNumber: 10000
gecos: Rowland Penny
memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
homeDrive: H:
homeDirectory: \\DC2\home\rowland
objectClass: top
objectClass: posixAccount
objectClass: securityPrincipal
objectClass: person
objectClass: systemQuotas
objectClass: organizationalPerson
objectClass: user
description: A Unix user
lastLogonTimestamp: 131172747410094140
whenChanged: 20160902072541.0Z
uSNChanged: 294249
lastLogon: 131177043474577810
distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com

You could then have changed anything in that you don't want the list to
see.

>
> BTW: when I do
>
> # getent passwd | grep ren_test4
>
>
>
> I get:
>
> ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/bash
>
>
>
> but when I do: getent passwd ren_test4
>
> ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/bash
>

Now that is interesting, what does 'getent passwd | grep ren_test'
return ?

[Julian Zielke via samba]

sure:

ldbsearch -H /var/lib/samba/private/sam.ldb cn=ren_test*
# returned 0 records
# 0 entries
# 0 referrals

Von: mathias dufresne [mailto:infra...@gmail.com]

Gesendet: Mittwoch, 7. September 2016 11:55
An: Julian Zielke <jzi...@next-level-integration.com>
Cc: Rowland Penny <rpe...@samba.org>; sa...@lists.samba.org
Betreff: Re: [Samba] Winbind / Samba auth problem after username change

Could you please post the full output of the following command:
ldbsearch -H /var/lib/samba/private/sam.ldb cn=ren_test*
Replacing /var/lib/samba/private/sam.ldb by the real path to sam.ldb

2016-09-07 11:12 GMT+02:00 Julian Zielke via samba <sa...@lists.samba.org<mailto:sa...@lists.samba.org>>:

14.09.30828 04<tel:14.09.30828%2004>:48:05 MESZ (9223372036854775807)

0


0

User Rename Test

ren_test4

CN=ren_test4,OU=agroup,OU=team1,OU=user,OU=integration,DC=domain,DC=local

ren_test4

CN=g_blau_alle,OU=agroup,OU=team1,OU=user,OU=department,DC=domain,DC=local

ren_test4

{78ccfb30-fd1e-43bb-be3f-3a784e296d63}

S-1-5-21-291884467-1407662076-1109738395-2521

513

05.09.2016 16:28:18 MESZ (131175592980000000)

ren_test4

805306368

66048

ren_...@domain.local<mailto:ren_...@domain.local>

67386

67033

06.09.2016 15:48:37 MESZ (20160906134837.0Z)

05.09.2016 16:28:16 MESZ (20160905142816.0Z)



BTW: when I do

# getent passwd | grep ren_test4



I get:

ren_test4:*:12521:10513:ren_test4:/home/DOMAIN.LOCAL/ren_test4:/bin/bash



but when I do: getent passwd ren_test4

ren_test3:*:12521:10513:ren_test3:/home/DOMAIN.LOCAL/ren_test3:/bin/bash



WTF??


Cheers,

Julian



> -----Ursprüngliche Nachricht-----

> Von: samba [mailto:samba-...@lists.samba.org<mailto:samba-...@lists.samba.org>] Im Auftrag von

> Rowland Penny via samba

> Gesendet: Dienstag, 6. September 2016 18:34

> An: sa...@lists.samba.org<mailto:sa...@lists.samba.org>

> Betreff: Re: [Samba] Winbind / Samba auth problem after username change

>

> On Tue, 6 Sep 2016 16:13:47 +0000

[Julian Zielke via samba]

- It really ends in local. So I guess I can leave this one.
- I've corrected the double entry in nsswitch.conf

The command returns:
# getent passwd | grep ren_test
ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash

What I copied into the message before was our object directly from the DC.
I thought you said "ldapsearch", not ldbsearch ;-)

Well here's the ldbsearch result (hopefully I did it the right way):
# ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local' -s sub '(&(samAccountType=805306368)(samaccountname=ren_test))'

# returned 0 records
# 0 entries
# 0 referrals

Even when I do it without any subcommand it returns 0 records:
ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local'

# returned 0 records
# 0 entries
# 0 referrals

Dunno whether this now points to an error in my configuration or not.

Cheers,
Julian


> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von
> Rowland Penny via samba

> Gesendet: Mittwoch, 7. September 2016 12:05

> An: sa...@lists.samba.org
> Betreff: Re: [Samba] Winbind / Samba auth problem after username change
>
>

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Rowland Penny via samba]

On Wed, 7 Sep 2016 11:20:54 +0000
Julian Zielke <jzi...@next-level-integration.com> wrote:

See inline comments:

> - It really ends in local. So I guess I can leave this one.

If AVAHI is running on any Unix machines, it can get in the way, so as
I said, you would be advised to turn it off.

> - I've corrected the double entry in nsswitch.conf
>
> The command returns:
> # getent passwd | grep ren_test
> ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash
>
> What I copied into the message before was our object directly from
> the DC. I thought you said "ldapsearch", not ldbsearch ;-)
>
> Well here's the ldbsearch result (hopefully I did it the right way):
> # ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local' -s
> sub '(&(samAccountType=805306368)(samaccountname=ren_test))' #
> returned 0 records # 0 entries
> # 0 referrals
>
> Even when I do it without any subcommand it returns 0 records:
> ldbsearch -H /var/lib/samba/private/sam.ldb -b 'dc=nli,dc=local'
> # returned 0 records
> # 0 entries
> # 0 referrals
>
> Dunno whether this now points to an error in my configuration or not.
>

Possibly not, '/var/lib/samba/private/sam.ldb' is the path to 'sam.ldb'
if you compile Samba yourself. It may (and probably will be) in a
different place if you are using OS packages
i.e. /var/lib/samba/private/sam.ldb on debian

You should also replace 'rowland' with the full user logon name.

[Julian Zielke via samba]

AVAHI is not running on our machines.

We're using Samba from the official sernet repository. I did a find-command on all sam.ldb files and
this is the only one which exists. Also when I delete them and restart the samba service, it's being created again, so
I guess it's the correct file the daemon is working with.

I've used the ldbsearch with the full logon name, however even when doing the command Mathias suggested no results are shown at all.

- Julian

> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von
> Rowland Penny via samba

> Gesendet: Mittwoch, 7. September 2016 13:48

> An: sa...@lists.samba.org
> Betreff: Re: [Samba] Winbind / Samba auth problem after username change
>

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Rowland Penny via samba]

On Wed, 7 Sep 2016 12:05:05 +0000
Julian Zielke <jzi...@next-level-integration.com> wrote:

> AVAHI is not running on our machines.
>
> We're using Samba from the official sernet repository. I did a
> find-command on all sam.ldb files and this is the only one which
> exists. Also when I delete them and restart the samba service, it's
> being created again, so I guess it's the correct file the daemon is
> working with.
>
> I've used the ldbsearch with the full logon name, however even when
> doing the command Mathias suggested no results are shown at all.
>
> - Julian
>

Try changing 'samaccountname'to 'cn'
You could also try: cat /etc/passwd | grep 'ren_test'

If you have a user 'ren_test' that getent passwd shows, it has to be
coming from one or the other.

You could also try: wbinfo -u | grep 'ren_test'

[Julian Zielke via samba]

Btw, before it looked like this:

# ll
total 7148
drwxr-xr-x 2 root root 4096 Sep 7 14:36 ./
drwxr-xr-x 7 root root 4096 Sep 7 14:38 ../
-rw-r--r-- 1 root root 1286144 Sep 7 14:34 DC=NLI,DC=LOCAL.ldb
-rw------- 1 root root 24576 Sep 7 13:11 netlogon_creds_cli.tdb
-rw------- 1 root root 421888 Sep 7 13:09 passdb.tdb
-rw------- 1 root root 696 Jan 19 2016 randseed.tdb
-rw-r--r-- 1 root root 1286144 Sep 7 13:08 sam.ldb
-rw-r--r-- 1 root root 1286144 Sep 7 14:29 sam.ldbobjectClass=*
-rw------- 1 root root 1286144 Sep 7 10:50 secrets.ldb
-rw------- 1 root root 430080 Sep 4 10:06 secrets.tdb
-rw-r--r-- 1 root root 1286144 Sep 7 13:09 *-tdb

Von: Julian Zielke
Gesendet: Mittwoch, 7. September 2016 14:41
An: 'Rowland Penny' <rpe...@samba.org>
Cc: sa...@lists.samba.org

Betreff: AW: [Samba] Winbind / Samba auth problem after username change


Well, I always get 0 results, whether using cn, full username, wildcards, another existing and working user etc.



# cat /etc/passwd | grep 'ren_test'

returns nothing



# wbinfo -u | grep 'ren_test'

returns: ren_test4



I also created a backup of all those ldb files and restarted the samba service. Now there's no new sam.ldb but a file looking similar to it.

Here's the complete directory:



/var/lib/samba/private# ll

total 4644

drwxr-xr-x 4 root root 4096 Sep 7 14:38 ./

drwxr-xr-x 7 root root 4096 Sep 7 14:38 ../

drwx------ 2 root root 4096 Sep 7 14:39 msg.sock/

-rw------- 1 root root 24576 Sep 7 14:38 netlogon_creds_cli.tdb

-rw------- 1 root root 421888 Sep 7 13:09 passdb.tdb

-rw------- 1 root root 696 Jan 19 2016 randseed.tdb

-rw-r--r-- 1 root root 1286144 Sep 7 14:29 sam.ldbobjectClass=*

-rw------- 1 root root 1286144 Sep 7 14:38 secrets.ldb

-rw------- 1 root root 430080 Sep 4 10:06 secrets.tdb

drwxr-xr-x 2 root root 4096 Jan 19 2016 smbd.tmp/

-rw-r--r-- 1 root root 1286144 Sep 7 13:09 *-tdb



Doing a ldbsearch on this file also returns 0 records. Even with the -a argument and no filter.

- Julian



> -----Ursprüngliche Nachricht-----

> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von

> Rowland Penny via samba

> Gesendet: Mittwoch, 7. September 2016 14:15

> An: sa...@lists.samba.org<mailto:sa...@lists.samba.org>

> Betreff: Re: [Samba] Winbind / Samba auth problem after username change

>

> On Wed, 7 Sep 2016 12:05:05 +0000

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Julian Zielke via samba]

Well, I always get 0 results, whether using cn, full username, wildcards, another existing and working user etc.



# cat /etc/passwd | grep 'ren_test'

returns nothing



# wbinfo -u | grep 'ren_test'

returns: ren_test4



I also created a backup of all those ldb files and restarted the samba service. Now there's no new sam.ldb but a file looking similar to it.

Here's the complete directory:



/var/lib/samba/private# ll

total 4644

drwxr-xr-x 4 root root 4096 Sep 7 14:38 ./

drwxr-xr-x 7 root root 4096 Sep 7 14:38 ../

drwx------ 2 root root 4096 Sep 7 14:39 msg.sock/

-rw------- 1 root root 24576 Sep 7 14:38 netlogon_creds_cli.tdb

-rw------- 1 root root 421888 Sep 7 13:09 passdb.tdb

-rw------- 1 root root 696 Jan 19 2016 randseed.tdb

-rw-r--r-- 1 root root 1286144 Sep 7 14:29 sam.ldbobjectClass=*

-rw------- 1 root root 1286144 Sep 7 14:38 secrets.ldb

-rw------- 1 root root 430080 Sep 4 10:06 secrets.tdb

drwxr-xr-x 2 root root 4096 Jan 19 2016 smbd.tmp/

-rw-r--r-- 1 root root 1286144 Sep 7 13:09 *-tdb



Doing a ldbsearch on this file also returns 0 records. Even with the -a argument and no filter.

- Julian



> -----Ursprüngliche Nachricht-----

> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von

> Rowland Penny via samba

> Gesendet: Mittwoch, 7. September 2016 14:15

> An: sa...@lists.samba.org

> Betreff: Re: [Samba] Winbind / Samba auth problem after username change

>

> On Wed, 7 Sep 2016 12:05:05 +0000

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Achim Gottinger via samba]

I think it was not yet mentioned. Can it be you run nscd? If so stop
that thing and try again.

[Rowland Penny via samba]

How are you backing up the ldb files ?
Once you have you backed up sam.ldb, are you deleting it ?

[Julian Zielke via samba]

I just did a cp -p *.ldb to a backup directory and restarted the services.
Of course I didn't delete it since I don't know whether this action would be
fatal.

> > -----Ursprüngliche Nachricht-----
> > Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von
> > Rowland Penny via samba

> > Gesendet: Mittwoch, 7. September 2016 15:10
> > An: sa...@lists.samba.org
> > Betreff: Re: [Samba] Winbind / Samba auth problem after username

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Julian Zielke via samba]

BTW I just tried the getent command again and it gets even weirder:



# getent passwd ren_test4

ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash

then did another getent after a couple of seconds:



# getent passwd ren_test4

ren_test3:*:12521:10513:ren_test3:/home/NLI.LOCAL/ren_test3:/bin/bash



This is...well..I have no damn clue XD



> -----Ursprüngliche Nachricht-----

> Von: Julian Zielke

> Gesendet: Mittwoch, 7. September 2016 15:19

> An: 'sa...@lists.samba.org' <sa...@lists.samba.org>

> Betreff: WG: [Samba] Winbind / Samba auth problem after username change

>

> I just did a cp -p *.ldb to a backup directory and restarted the services.

> Of course I didn't delete it since I don't know whether this action would be

> fatal.

>

>

> > > -----Ursprüngliche Nachricht-----

> > > Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von

> > > Rowland Penny via samba

> > > Gesendet: Mittwoch, 7. September 2016 15:10

> > > An: sa...@lists.samba.org<mailto:sa...@lists.samba.org>

> > > Betreff: Re: [Samba] Winbind / Samba auth problem after username

> > change

> > >

> > > On Wed, 7 Sep 2016 12:46:39 +0000

> > > Julian Zielke <jzi...@next-level-integration.com<mailto:jzi...@next-level-integration.com>> wrote:

> > >

> > > > Btw, before it looked like this:

> > > >

> > > > # ll

> > > > total 7148

> > > > drwxr-xr-x 2 root root 4096 Sep 7 14:36 ./

> > > > drwxr-xr-x 7 root root 4096 Sep 7 14:38 ../

> > > > -rw-r--r-- 1 root root 1286144 Sep 7 14:34 DC=NLI,DC=LOCAL.ldb

> > > > -rw------- 1 root root 24576 Sep 7 13:11 netlogon_creds_cli.tdb

> > > > -rw------- 1 root root 421888 Sep 7 13:09 passdb.tdb

> > > > -rw------- 1 root root 696 Jan 19 2016 randseed.tdb

> > > > -rw-r--r-- 1 root root 1286144 Sep 7 13:08 sam.ldb

> > > > -rw-r--r-- 1 root root 1286144 Sep 7 14:29 sam.ldbobjectClass=*

> > > > -rw------- 1 root root 1286144 Sep 7 10:50 secrets.ldb

> > > > -rw------- 1 root root 430080 Sep 4 10:06 secrets.tdb

> > > > -rw-r--r-- 1 root root 1286144 Sep 7 13:09 *-tdb

> > > >

> > > >

> > > >

> > > > Von: Julian Zielke

> > > > Gesendet: Mittwoch, 7. September 2016 14:41

> > > > An: 'Rowland Penny' <rpe...@samba.org<mailto:rpe...@samba.org>>

> > > > Cc: sa...@lists.samba.org<mailto:sa...@lists.samba.org>

[Rowland Penny via samba]

On Wed, 7 Sep 2016 13:20:32 +0000
Julian Zielke via samba <sa...@lists.samba.org> wrote:

> I just did a cp -p *.ldb to a backup directory and restarted the
> services. Of course I didn't delete it since I don't know whether
> this action would be fatal.
>
>

There is a tool for doing this, 'tdbbackup', and deleting sam.ldb etc
would be fatal.

[L.P.H. van Belle via samba]

I would suggest.

Stop samba and winbind

Backup
/etc/krb5.keytab
/var/lib/samba
/var/cache/samba

Remove everything in :
/var/lib/samba
/var/cache/samba
And remove :
/etc/krb5.keytab


Put in this config ( from Rowlands suggestion. )

Join the domain again.

Test again.

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Julian Zielke via
> samba
> Verzonden: woensdag 7 september 2016 15:52
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Winbind / Samba auth problem after username change

> > > > Julian Zielke <jzielke@next-level-

[Rowland Penny via samba]

On Wed, 7 Sep 2016 13:51:57 +0000

Julian Zielke via samba <sa...@lists.samba.org> wrote:

> BTW I just tried the getent command again and it gets even weirder:
>
>
>
> # getent passwd ren_test4
>
> ren_test4:*:12521:10513:ren_test4:/home/NLI.LOCAL/ren_test4:/bin/bash
>
>
>
> then did another getent after a couple of seconds:
>
>
>
> # getent passwd ren_test4
>
> ren_test3:*:12521:10513:ren_test3:/home/NLI.LOCAL/ren_test3:/bin/bash
>
>
>
> This is...well..I have no damn clue XD
>

This is very strange, try this search:

ldbsearch -H /usr/local/samba/private/sam.ldb -b
'dc=samdom,dc=example,dc=com' -s sub '(samAccountType=805306368)' dn
samaccountname

It should print out the DN and logon name for every user in your AD.

[Julian Zielke via samba]

AH ok, thanks for the advice. I just copied back all the files and restarted the samba service.

> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von
> Rowland Penny via samba

> Gesendet: Mittwoch, 7. September 2016 15:55
> An: sa...@lists.samba.org
> Betreff: Re: [Samba] WG: Winbind / Samba auth problem after username
> change
>

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[L.P.H. van Belle via samba]

No tls setup in samba?
Host/ip in dns is checked?

Resolv.conf is pointed to the AD DC with FSMO roles?

And you tried recreating the krb5.keytab if is not recreated?

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: Julian Zielke [mailto:jzi...@next-level-integration.com]
> Verzonden: woensdag 7 september 2016 16:31
> Aan: L.P.H. van Belle
> CC: sa...@lists.samba.org
> Onderwerp: AW: [Samba] Winbind / Samba auth problem after username change
>
> Tried that too. Now when joining the domain I get:
>
> gss_init_sec_context failed with [ Miscellaneous failure (see text):
> Server (krbtgt/LO...@NLI.LOCAL) unknown]
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal
> error occurred.
> Failed to join domain: failed to connect to AD: An internal error
> occurred.
>
>
>
> > -----Ursprüngliche Nachricht-----
> > Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von L.P.H.
> > van Belle via samba
> > Gesendet: Mittwoch, 7. September 2016 16:03
> > An: sa...@lists.samba.org

[Julian Zielke via samba]

Tried that too. Now when joining the domain I get:

gss_init_sec_context failed with [ Miscellaneous failure (see text): Server (krbtgt/LO...@NLI.LOCAL) unknown]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
Failed to join domain: failed to connect to AD: An internal error occurred.

> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von L.P.H.
> van Belle via samba
> Gesendet: Mittwoch, 7. September 2016 16:03
> An: sa...@lists.samba.org

[Rowland Penny via samba]

On Wed, 7 Sep 2016 16:34:36 +0200
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:

> No tls setup in samba?
> Host/ip in dns is checked?
>
> Resolv.conf is pointed to the AD DC with FSMO roles?
>
> And you tried recreating the krb5.keytab if is not recreated?
>
> Greetz,
>
> Louis
>

I am beginning to think the OP has damaged sam.ldb on the DC by
copying it, it might be quicker to start again. I do hope this isn't in
production.

[Julian Zielke via samba]

sorry, my mistake. net ads join -S argument required FQDN oft he primary dc.

Machine is back in the domain. This seems to have helped. However, is this really the solution?
I mean I have to rejoin the domain for all my machines? *sigh*

Well if that's the case, so be it. But then I'll switch over to sssd. This will also affect production machines but
that's what maintenance intervals are made for, right? ;-)

> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von L.P.H.
> van Belle via samba

> Gesendet: Mittwoch, 7. September 2016 16:35

[L.P.H. van Belle via samba]

No, i dont think is needed for all to rejoin.

Now next server, do the same but now dont delete everything

Again stop samba and winbind.

Backup the 2 /var/lib/samba and /var/cache/samba folder.

Now in /var/lib/samba delete winbind*.tdb
And *.tdb in /var/cache/samba

USE THE SMB.CONF as before, modify it for the needed server.
Start samba and winbind again.

Type wbinfo -u first and wbinfo -g
Just to be sure this works ok and it updates the tdb files again.

If it works..
Stop samba +winbind again.

Add in smb.conf
password server = ADDC_WITH_FSMO

retry above with all ADDC. DC04, DC01, DC02, *
one has a problem i think

but test with only one server a time.
( and user FQDN for the pass servers. )

That should help to identify where the problem is exact.


Greetz,

Louis

[L.P.H. van Belle via samba]

Hai, Julian,


Share-ing such a script would be apriciated ;-) thats always handy to have.

And special reason why you choose sssd over winbind?

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: Julian Zielke [mailto:jzi...@next-level-integration.com]

> Verzonden: donderdag 8 september 2016 9:43
> Aan: L.P.H. van Belle; Rowland Penny; mathias dufresne

> CC: sa...@lists.samba.org
> Onderwerp: AW: [Samba] Winbind / Samba auth problem after username change
>

> Good morning folks,
>
>
> well first of all thank you very much for the help from all of you guys.
> Really appreciate that.
> I discussed the case with my department and we all came to the conclusion
> that migrating the old machines to sssd would
> be less time consuming rather than analyzing what has corrupted the old
> database. Probably in the end a database rebuild would
> be necessary anyway so I wrote a small bash script which transforms the
> old authentication method to sssd. Already tested it and it works
> perfectly fine.
> Makes sense to migrate all machines to one authentication method anyway.
>
> Cheers,
> Julian

>
> > -----Ursprüngliche Nachricht-----
> > Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von L.P.H.
> > van Belle via samba

> > Gesendet: Mittwoch, 7. September 2016 17:09

> > An: sa...@lists.samba.org
> > Betreff: Re: [Samba] Winbind / Samba auth problem after username change
> >

> Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und
> ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht
> der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten,
> so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung,
> Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist.
> Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in
> Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die
> Kommunikation per E-Mail über das Internet unsicher ist, da für
> unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und
> Manipulation besteht
>
> Important Note: The information contained in this e-mail is confidential.
> It is intended solely for the addressee. Access to this e-mail by anyone
> else is unauthorized. If you are not the intended recipient, any form of
> disclosure, reproduction, distribution or any action taken or refrained
> from in reliance on it, is prohibited and may be unlawful. Please notify
> the sender immediately. We also would like to inform you that
> communication via e-mail over the internet is insecure because third
> parties may have the possibility to access and manipulate e-mails.

[Rowland Penny via samba]

On Thu, 8 Sep 2016 07:43:23 +0000
Julian Zielke <jzi...@next-level-integration.com> wrote:

> Good morning folks,
>
>
> well first of all thank you very much for the help from all of you
> guys. Really appreciate that. I discussed the case with my department
> and we all came to the conclusion that migrating the old machines to
> sssd would be less time consuming rather than analyzing what has
> corrupted the old database. Probably in the end a database rebuild
> would be necessary anyway so I wrote a small bash script which
> transforms the old authentication method to sssd. Already tested it
> and it works perfectly fine. Makes sense to migrate all machines to
> one authentication method anyway.
>

Well if it works with sssd, it proves there is nothing wrong with your
AD, so it must have been something wrong with your Unix client set up.

Rowland

[Julian Zielke via samba]

Good morning folks,


well first of all thank you very much for the help from all of you guys. Really appreciate that.
I discussed the case with my department and we all came to the conclusion that migrating the old machines to sssd would
be less time consuming rather than analyzing what has corrupted the old database. Probably in the end a database rebuild would
be necessary anyway so I wrote a small bash script which transforms the old authentication method to sssd. Already tested it and it works perfectly fine.
Makes sense to migrate all machines to one authentication method anyway.

Cheers,
Julian

> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von L.P.H.
> van Belle via samba

> Gesendet: Mittwoch, 7. September 2016 17:09

> An: sa...@lists.samba.org
> Betreff: Re: [Samba] Winbind / Samba auth problem after username change
>

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir möchten Sie außerdem darauf hinweisen, dass die Kommunikation per E-Mail über das Internet unsicher ist, da für unberechtigte Dritte grundsätzlich die Möglichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.

[Julian Zielke via samba]

Here you go:

https://github.com/jzielke84/sssdmigrator

Feel free to commit changes if you find a bug.

The reason we switched to SSSD was a bug in Samba domain join which was fixed in the first sernet pay-repos (version 4.3).
We bought a subscription later but had to get machines into the domain and SSSD came in handy.
Also there was an article in a local linux magazine featuring that topic. And so far it's running perfectly fine.

Cheers,
Julian

> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von L.P.H.
> van Belle via samba

> Gesendet: Donnerstag, 8. September 2016 09:49

[L.P.H. van Belle via samba]

Thank you, very apreciated and very usefull.
And good for my scripting learning skills.

I forked it, so if i change something, i'll push you.

Greetz,

Louis




> -----Oorspronkelijk bericht-----
> Van: Julian Zielke [mailto:jzi...@next-level-integration.com]

> Verzonden: donderdag 8 september 2016 11:00
> Aan: L.P.H. van Belle