[Samba] winbind - New DOMAIN but old DOMAIN not CHANGING .URGENT

Christopher Welsh cpwe at deakin.edu.au
Wed Jan 12 13:39:00 GMT 2005 


Hi,

We just imported (moved) all our staff from the old w2k domain to the 
new w2k3 domain. Say their accounts and passwords
 From STAFF domain to say NEW. Seems winbind is keeping the old domain 
users.


I'm using winbind for squid auth on Mandrake linux 10.0

samba-client-3.0.10-0.1.100mdk
samba-winbind-3.0.10-0.1.100mdk
samba-doc-3.0.10-0.1.100mdk
samba-common-3.0.10-0.1.100mdk
samba-server-3.0.10-0.1.100mdk


When I do a wbinfo -u

I still get STAFF/chris
.....
....
etc

I should get ADMIN/chris



I have changed the win 2003 server admin passwd and joined the say 
"ADMIN" domain and "ADMIN.SJC" realm. /etc/kerberos/* settings have been 
changed also in the samba config.

then rebooted,

did kinit administrator at ADMIN.SJC
did klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at ADMIN.SJC

Valid starting     Expires            Service principal
01/13/05 00:00:27  01/13/05 10:01:16  krbtgt/ADMIN.SJC at ADMIN.SJC
        renew until 01/14/05 00:00:27
01/13/05 00:01:59  01/13/05 10:01:16  sun$@ADMIN.SJC
        renew until 01/14/05 00:00:27


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Did net ads join -U administrator at ADMIN.SJC


kadm5.acl
*/administartor at ADMIN.SJC       *

Does this ticket look ok? the krbtgt record looks a little odd to me.



I figure I should get ADMIN/chris, and I cannot see any entries for 
STAFF realm left over.
I kdestroyed the ticket and recreated it, but no luck

kdc.conf

[kdcdefaults]
 kdc_ports = 88
 acl_file = /etc/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab

[realms]
 ADMIN.SJC = {
  master_key_type = des3-cbc-sha1
  supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal 
des-cbc-crc:v4 des-cbc-crc:afs3
  profile = /etc/krb5.conf
  database_name = /etc/kerberos/krb5kdc/principal
  admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
  admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
  admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
  acl_file = /etc/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  key_stash_file = /etc/kerberos/krb5kdc/.k5stash
  kdc_ports = 88
  kadmind_port = 749
  max_life = 10h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
 }



krb5.conf
[libdefaults]
 ticket_lifetime = 24000
 default_realm = ADMIN.SJC
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 permitted_enctypes = des3-hmac-sha1 des-cbc-crc
 dns_lookup_realm = false
 dns_lookup_kdc = false
 kdc_req_checksum_type = 2
 checksum_type = 2
 ccache_type = 1
 forwardable = true
 proxiable = true

[realms]
 ADMIN.SJC = {
  kdc = sun.admin.sjc:88
  admin_server = sun.admin.sjc:749
  kpasswd_server = sun.admin.sjc
  default_domain = admin.sjc
 }

[domain_realm]
 .admin.sjc = ADMIN.SJC

[kdc]
 profile = /etc/kerberos/krb5kdc/kdc.conf

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false

 [login]
 krb4_convert = false
 krb4_get_tickets = false




Anyway the users cannot auth through out proxy because of this.
Can anyone help. I have to get this fixed by the morning before staff 
arrive.

Thanks
Chris

More information about the samba mailing list