[Samba] URGENT winbind - New DOMAIN but old DOMAIN not CHANGING - Resent

Chris Welsh cpwe at deakin.edu.au
Thu Jan 13 10:53:17 GMT 2005


Hi Buchan,


Thanks for your reply. I've just finished reading it.
I'm happy to say, I managed to get it working a few hours ago. Seems to 
have been a firewall issue.

Could you suggest what winbind/samba/kerberos ports should be allowed in 
and out.


I'm not a big fan of running squid and winbind on the firewall, but 
management want it there for now.
(IP addresses removed)

Here are my rules
# Winbind
ACCEPT    $FW       loc    udp      1024:          137
ACCEPT    loc     $FW     udp      1024:          137
ACCEPT  $FW     loc     udp     88,137,138,139,88,749,389      -
ACCEPT  $FW     loc     tcp     749,88,137:139,88,389     -




I have been using samba for (kerberos/ADS last year; On Mandrake for 5 
or six years) years, everywhere I go I introduce it. It's solid.

Thanks doing good samba builds including posix support and Thank to the 
samba team.


Thanks.
Chris




Buchan Milne wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Chris,
>
> I am the samba maintainer for Mandrake ... so I may be able to help.
>
> I am not sure on the timezone issues ... but if you're still up, I can
> join you somewhere on IRC or if you have jabber you can get me at
> bgmilne at jabber.obsidian.co.za
>
> Anyway, see below ...
>
>
> |
> | Hi,
> |
> |
> |
> | We just imported (moved) all our staff from the old w2k domain to the
> | new w2k3 domain. Say their accounts and passwords
> |  From STAFF domain to say NEW. Seems winbind is keeping the old domain
> | users. This server was serving the STAFF domain w/o problems before
> users were migrated.
> |
> | Domain is in 2000 native mode.
> |
> |
> | I'm using winbind for squid auth on Mandrake linux 10.0
> |
> | samba-client-3.0.10-0.1.100mdk
> | samba-winbind-3.0.10-0.1.100mdk
> | samba-doc-3.0.10-0.1.100mdk
> | samba-common-3.0.10-0.1.100mdk
> | samba-server-3.0.10-0.1.100mdk
> |
> |
> | When I do a wbinfo -u
> |
> | I still get STAFF/chris
> | .....
> | ....
> | etc
> |
> | I should get ADMIN/chris
> |
> |
> |
> | I have changed the win 2003 server admin passwd and joined the say
> | "ADMIN" domain and "ADMIN.SJC" realm. /etc/kerberos/* settings have 
> been
> | changed also in the samba config.
> |
> | then rebooted,
> |
> | did kinit administrator at ADMIN.SJC
> | did klist
> |
> | Ticket cache: FILE:/tmp/krb5cc_0
> | Default principal: administrator at ADMIN.SJC
> |
> | Valid starting     Expires            Service principal
> | 01/13/05 00:00:27  01/13/05 10:01:16  krbtgt/ADMIN.SJC at ADMIN.SJC
> |         renew until 01/14/05 00:00:27
> | 01/13/05 00:01:59  01/13/05 10:01:16  sun$@ADMIN.SJC
> |         renew until 01/14/05 00:00:27
> |
> |
> | Kerberos 4 ticket cache: /tmp/tkt0
> | klist: You have no tickets cached
> |
> | Did net ads join -U administrator at ADMIN.SJC
> |
> |
> | kadm5.acl
> | */administartor at ADMIN.SJC       *
> |
> | Does this ticket look ok? the krbtgt record looks a little odd to me.
> |
> |
> |
> | I figure I should get ADMIN/chris, and I cannot see any entries for
> | STAFF realm left over.
> | I kdestroyed the ticket and recreated it, but no luck
> |
> | kdc.conf
> |
> | [kdcdefaults]
> |  kdc_ports = 88
> |  acl_file = /etc/kerberos/krb5kdc/kadm5.acl
> |  dict_file = /usr/share/dict/words
> |  admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab
> |
> | [realms]
> |  ADMIN.SJC = {
> |   master_key_type = des3-cbc-sha1
> |   supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal
> | des-cbc-crc:v4 des-cbc-crc:afs3
> |   profile = /etc/krb5.conf
> |   database_name = /etc/kerberos/krb5kdc/principal
> |   admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
> |   admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
> |   admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
> |   acl_file = /etc/kerberos/krb5kdc/kadm5.acl
> |   dict_file = /usr/share/dict/words
> |   key_stash_file = /etc/kerberos/krb5kdc/.k5stash
> |   kdc_ports = 88
> |   kadmind_port = 749
> |   max_life = 10h 0m 0s
> |   max_renewable_life = 7d 0h 0m 0s
> |  }
> |
> |
> |
> | krb5.conf
> | [libdefaults]
> |  ticket_lifetime = 24000
> |  default_realm = ADMIN.SJC
> |  default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> |  default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> |  permitted_enctypes = des3-hmac-sha1 des-cbc-crc
>
> I think you should remove at least this line, probably all the above.
>
> |  dns_lookup_realm = false
> |  dns_lookup_kdc = false
>
> You should be able to set that to true.
>
> |  kdc_req_checksum_type = 2
> |  checksum_type = 2
> |  ccache_type = 1
> |  forwardable = true
> |  proxiable = true
> |
> | [realms]
> |  ADMIN.SJC = {
> |   kdc = sun.admin.sjc:88
> |   admin_server = sun.admin.sjc:749
> |   kpasswd_server = sun.admin.sjc
> |   default_domain = admin.sjc
> |  }
> |
> | [domain_realm]
> |  .admin.sjc = ADMIN.SJC
> |
> | [kdc]
> |  profile = /etc/kerberos/krb5kdc/kdc.conf
> |
> | [pam]
> |  debug = false
> |  ticket_lifetime = 36000
> |  renew_lifetime = 36000
> |  forwardable = true
> |  krb4_convert = false
> |
> |  [login]
> |  krb4_convert = false
> |  krb4_get_tickets = false
> |
> |
>
> Bump up your samba logging to at least 3, and check the log.winbindd, I
> suspect you're probably getting the "Could not verify incoming ticket"
> problem.
>
> Also, you may want to stop samba, backup/remove the winbind cache files
> in /var/cache/samba, and restart samba.
>
> | Anyway the users cannot auth through out proxy because of this.
> | Can anyone help. I have to get this fixed by the morning before staff
> | arrive.
>
> Hope this helps.
>
> BTW, also check:
> http://www.billboswellconsulting.com/addl_Linux_Info_authenticating_mandrake.html 
>
>
> (although there are some other errors, see the changes made to krb5.conf)
>
> Regards,
> Buchan
>
> - --
> Buchan Milne                      Senior Support Technician
> Obsidian Systems                  http://www.obsidian.co.za
> B.Eng                                RHCE (803004789010797)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFB5kMTrJK6UGDSBKcRAndZAJ9tt+JSmwsLo0BC6uhxzker68tDxACgoQpB
> QQS4AiQOA5cr5BT4xNTj45U=
> =G16M
> -----END PGP SIGNATURE-----
>
>



More information about the samba mailing list