[Samba] URGENT winbind - New DOMAIN but old DOMAIN not CHANGING
- Resent
Chris Welsh
cpwe at deakin.edu.au
Thu Jan 13 10:53:17 GMT 2005
Hi Buchan,
Thanks for your reply. I've just finished reading it.
I'm happy to say, I managed to get it working a few hours ago. Seems to
have been a firewall issue.
Could you suggest what winbind/samba/kerberos ports should be allowed in
and out.
I'm not a big fan of running squid and winbind on the firewall, but
management want it there for now.
(IP addresses removed)
Here are my rules
# Winbind
ACCEPT $FW loc udp 1024: 137
ACCEPT loc $FW udp 1024: 137
ACCEPT $FW loc udp 88,137,138,139,88,749,389 -
ACCEPT $FW loc tcp 749,88,137:139,88,389 -
I have been using samba for (kerberos/ADS last year; On Mandrake for 5
or six years) years, everywhere I go I introduce it. It's solid.
Thanks doing good samba builds including posix support and Thank to the
samba team.
Thanks.
Chris
Buchan Milne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Chris,
>
> I am the samba maintainer for Mandrake ... so I may be able to help.
>
> I am not sure on the timezone issues ... but if you're still up, I can
> join you somewhere on IRC or if you have jabber you can get me at
> bgmilne at jabber.obsidian.co.za
>
> Anyway, see below ...
>
>
> |
> | Hi,
> |
> |
> |
> | We just imported (moved) all our staff from the old w2k domain to the
> | new w2k3 domain. Say their accounts and passwords
> | From STAFF domain to say NEW. Seems winbind is keeping the old domain
> | users. This server was serving the STAFF domain w/o problems before
> users were migrated.
> |
> | Domain is in 2000 native mode.
> |
> |
> | I'm using winbind for squid auth on Mandrake linux 10.0
> |
> | samba-client-3.0.10-0.1.100mdk
> | samba-winbind-3.0.10-0.1.100mdk
> | samba-doc-3.0.10-0.1.100mdk
> | samba-common-3.0.10-0.1.100mdk
> | samba-server-3.0.10-0.1.100mdk
> |
> |
> | When I do a wbinfo -u
> |
> | I still get STAFF/chris
> | .....
> | ....
> | etc
> |
> | I should get ADMIN/chris
> |
> |
> |
> | I have changed the win 2003 server admin passwd and joined the say
> | "ADMIN" domain and "ADMIN.SJC" realm. /etc/kerberos/* settings have
> been
> | changed also in the samba config.
> |
> | then rebooted,
> |
> | did kinit administrator at ADMIN.SJC
> | did klist
> |
> | Ticket cache: FILE:/tmp/krb5cc_0
> | Default principal: administrator at ADMIN.SJC
> |
> | Valid starting Expires Service principal
> | 01/13/05 00:00:27 01/13/05 10:01:16 krbtgt/ADMIN.SJC at ADMIN.SJC
> | renew until 01/14/05 00:00:27
> | 01/13/05 00:01:59 01/13/05 10:01:16 sun$@ADMIN.SJC
> | renew until 01/14/05 00:00:27
> |
> |
> | Kerberos 4 ticket cache: /tmp/tkt0
> | klist: You have no tickets cached
> |
> | Did net ads join -U administrator at ADMIN.SJC
> |
> |
> | kadm5.acl
> | */administartor at ADMIN.SJC *
> |
> | Does this ticket look ok? the krbtgt record looks a little odd to me.
> |
> |
> |
> | I figure I should get ADMIN/chris, and I cannot see any entries for
> | STAFF realm left over.
> | I kdestroyed the ticket and recreated it, but no luck
> |
> | kdc.conf
> |
> | [kdcdefaults]
> | kdc_ports = 88
> | acl_file = /etc/kerberos/krb5kdc/kadm5.acl
> | dict_file = /usr/share/dict/words
> | admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab
> |
> | [realms]
> | ADMIN.SJC = {
> | master_key_type = des3-cbc-sha1
> | supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal
> | des-cbc-crc:v4 des-cbc-crc:afs3
> | profile = /etc/krb5.conf
> | database_name = /etc/kerberos/krb5kdc/principal
> | admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
> | admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
> | admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
> | acl_file = /etc/kerberos/krb5kdc/kadm5.acl
> | dict_file = /usr/share/dict/words
> | key_stash_file = /etc/kerberos/krb5kdc/.k5stash
> | kdc_ports = 88
> | kadmind_port = 749
> | max_life = 10h 0m 0s
> | max_renewable_life = 7d 0h 0m 0s
> | }
> |
> |
> |
> | krb5.conf
> | [libdefaults]
> | ticket_lifetime = 24000
> | default_realm = ADMIN.SJC
> | default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> | default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> | permitted_enctypes = des3-hmac-sha1 des-cbc-crc
>
> I think you should remove at least this line, probably all the above.
>
> | dns_lookup_realm = false
> | dns_lookup_kdc = false
>
> You should be able to set that to true.
>
> | kdc_req_checksum_type = 2
> | checksum_type = 2
> | ccache_type = 1
> | forwardable = true
> | proxiable = true
> |
> | [realms]
> | ADMIN.SJC = {
> | kdc = sun.admin.sjc:88
> | admin_server = sun.admin.sjc:749
> | kpasswd_server = sun.admin.sjc
> | default_domain = admin.sjc
> | }
> |
> | [domain_realm]
> | .admin.sjc = ADMIN.SJC
> |
> | [kdc]
> | profile = /etc/kerberos/krb5kdc/kdc.conf
> |
> | [pam]
> | debug = false
> | ticket_lifetime = 36000
> | renew_lifetime = 36000
> | forwardable = true
> | krb4_convert = false
> |
> | [login]
> | krb4_convert = false
> | krb4_get_tickets = false
> |
> |
>
> Bump up your samba logging to at least 3, and check the log.winbindd, I
> suspect you're probably getting the "Could not verify incoming ticket"
> problem.
>
> Also, you may want to stop samba, backup/remove the winbind cache files
> in /var/cache/samba, and restart samba.
>
> | Anyway the users cannot auth through out proxy because of this.
> | Can anyone help. I have to get this fixed by the morning before staff
> | arrive.
>
> Hope this helps.
>
> BTW, also check:
> http://www.billboswellconsulting.com/addl_Linux_Info_authenticating_mandrake.html
>
>
> (although there are some other errors, see the changes made to krb5.conf)
>
> Regards,
> Buchan
>
> - --
> Buchan Milne Senior Support Technician
> Obsidian Systems http://www.obsidian.co.za
> B.Eng RHCE (803004789010797)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFB5kMTrJK6UGDSBKcRAndZAJ9tt+JSmwsLo0BC6uhxzker68tDxACgoQpB
> QQS4AiQOA5cr5BT4xNTj45U=
> =G16M
> -----END PGP SIGNATURE-----
>
>
More information about the samba
mailing list