[Samba] URGENT winbind - New DOMAIN but old DOMAIN not CHANGING -
Resent
John H Terpstra
jht at Samba.Org
Thu Jan 13 15:27:31 GMT 2005
Chris,
Windows networking plus LDAP and Kerberos makes use of the following ports:
137 and 138 - UDP
88, 135, 139, 389, 445, 636 - TCP
Check in your /etc/services file to see what each of these ports are used for.
- John T.
On Thursday 13 January 2005 03:53, Chris Welsh wrote:
> Hi Buchan,
>
>
> Thanks for your reply. I've just finished reading it.
> I'm happy to say, I managed to get it working a few hours ago. Seems to
> have been a firewall issue.
>
> Could you suggest what winbind/samba/kerberos ports should be allowed in
> and out.
>
>
> I'm not a big fan of running squid and winbind on the firewall, but
> management want it there for now.
> (IP addresses removed)
>
> Here are my rules
> # Winbind
> ACCEPT $FW loc udp 1024: 137
> ACCEPT loc $FW udp 1024: 137
> ACCEPT $FW loc udp 88,137,138,139,88,749,389 -
> ACCEPT $FW loc tcp 749,88,137:139,88,389 -
>
>
>
>
> I have been using samba for (kerberos/ADS last year; On Mandrake for 5
> or six years) years, everywhere I go I introduce it. It's solid.
>
> Thanks doing good samba builds including posix support and Thank to the
> samba team.
>
>
> Thanks.
> Chris
>
> Buchan Milne wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi Chris,
> >
> > I am the samba maintainer for Mandrake ... so I may be able to help.
> >
> > I am not sure on the timezone issues ... but if you're still up, I can
> > join you somewhere on IRC or if you have jabber you can get me at
> > bgmilne at jabber.obsidian.co.za
> >
> > Anyway, see below ...
> >
> > | Hi,
> > |
> > |
> > |
> > | We just imported (moved) all our staff from the old w2k domain to the
> > | new w2k3 domain. Say their accounts and passwords
> > | From STAFF domain to say NEW. Seems winbind is keeping the old domain
> > | users. This server was serving the STAFF domain w/o problems before
> >
> > users were migrated.
> >
> > | Domain is in 2000 native mode.
> > |
> > |
> > | I'm using winbind for squid auth on Mandrake linux 10.0
> > |
> > | samba-client-3.0.10-0.1.100mdk
> > | samba-winbind-3.0.10-0.1.100mdk
> > | samba-doc-3.0.10-0.1.100mdk
> > | samba-common-3.0.10-0.1.100mdk
> > | samba-server-3.0.10-0.1.100mdk
> > |
> > |
> > | When I do a wbinfo -u
> > |
> > | I still get STAFF/chris
> > | .....
> > | ....
> > | etc
> > |
> > | I should get ADMIN/chris
> > |
> > |
> > |
> > | I have changed the win 2003 server admin passwd and joined the say
> > | "ADMIN" domain and "ADMIN.SJC" realm. /etc/kerberos/* settings have
> >
> > been
> >
> > | changed also in the samba config.
> > |
> > | then rebooted,
> > |
> > | did kinit administrator at ADMIN.SJC
> > | did klist
> > |
> > | Ticket cache: FILE:/tmp/krb5cc_0
> > | Default principal: administrator at ADMIN.SJC
> > |
> > | Valid starting Expires Service principal
> > | 01/13/05 00:00:27 01/13/05 10:01:16 krbtgt/ADMIN.SJC at ADMIN.SJC
> > | renew until 01/14/05 00:00:27
> > | 01/13/05 00:01:59 01/13/05 10:01:16 sun$@ADMIN.SJC
> > | renew until 01/14/05 00:00:27
> > |
> > |
> > | Kerberos 4 ticket cache: /tmp/tkt0
> > | klist: You have no tickets cached
> > |
> > | Did net ads join -U administrator at ADMIN.SJC
> > |
> > |
> > | kadm5.acl
> > | */administartor at ADMIN.SJC *
> > |
> > | Does this ticket look ok? the krbtgt record looks a little odd to me.
> > |
> > |
> > |
> > | I figure I should get ADMIN/chris, and I cannot see any entries for
> > | STAFF realm left over.
> > | I kdestroyed the ticket and recreated it, but no luck
> > |
> > | kdc.conf
> > |
> > | [kdcdefaults]
> > | kdc_ports = 88
> > | acl_file = /etc/kerberos/krb5kdc/kadm5.acl
> > | dict_file = /usr/share/dict/words
> > | admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab
> > |
> > | [realms]
> > | ADMIN.SJC = {
> > | master_key_type = des3-cbc-sha1
> > | supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal
> > | des-cbc-crc:v4 des-cbc-crc:afs3
> > | profile = /etc/krb5.conf
> > | database_name = /etc/kerberos/krb5kdc/principal
> > | admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
> > | admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
> > | admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
> > | acl_file = /etc/kerberos/krb5kdc/kadm5.acl
> > | dict_file = /usr/share/dict/words
> > | key_stash_file = /etc/kerberos/krb5kdc/.k5stash
> > | kdc_ports = 88
> > | kadmind_port = 749
> > | max_life = 10h 0m 0s
> > | max_renewable_life = 7d 0h 0m 0s
> > | }
> > |
> > |
> > |
> > | krb5.conf
> > | [libdefaults]
> > | ticket_lifetime = 24000
> > | default_realm = ADMIN.SJC
> > | default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> > | default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> > | permitted_enctypes = des3-hmac-sha1 des-cbc-crc
> >
> > I think you should remove at least this line, probably all the above.
> >
> > | dns_lookup_realm = false
> > | dns_lookup_kdc = false
> >
> > You should be able to set that to true.
> >
> > | kdc_req_checksum_type = 2
> > | checksum_type = 2
> > | ccache_type = 1
> > | forwardable = true
> > | proxiable = true
> > |
> > | [realms]
> > | ADMIN.SJC = {
> > | kdc = sun.admin.sjc:88
> > | admin_server = sun.admin.sjc:749
> > | kpasswd_server = sun.admin.sjc
> > | default_domain = admin.sjc
> > | }
> > |
> > | [domain_realm]
> > | .admin.sjc = ADMIN.SJC
> > |
> > | [kdc]
> > | profile = /etc/kerberos/krb5kdc/kdc.conf
> > |
> > | [pam]
> > | debug = false
> > | ticket_lifetime = 36000
> > | renew_lifetime = 36000
> > | forwardable = true
> > | krb4_convert = false
> > |
> > | [login]
> > | krb4_convert = false
> > | krb4_get_tickets = false
> >
> > Bump up your samba logging to at least 3, and check the log.winbindd, I
> > suspect you're probably getting the "Could not verify incoming ticket"
> > problem.
> >
> > Also, you may want to stop samba, backup/remove the winbind cache files
> > in /var/cache/samba, and restart samba.
> >
> > | Anyway the users cannot auth through out proxy because of this.
> > | Can anyone help. I have to get this fixed by the morning before staff
> > | arrive.
> >
> > Hope this helps.
> >
> > BTW, also check:
> > http://www.billboswellconsulting.com/addl_Linux_Info_authenticating_mandr
> >ake.html
> >
> >
> > (although there are some other errors, see the changes made to krb5.conf)
> >
> > Regards,
> > Buchan
> >
> > - --
> > Buchan Milne Senior Support Technician
> > Obsidian Systems http://www.obsidian.co.za
> > B.Eng RHCE (803004789010797)
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.4 (GNU/Linux)
> > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> >
> > iD8DBQFB5kMTrJK6UGDSBKcRAndZAJ9tt+JSmwsLo0BC6uhxzker68tDxACgoQpB
> > QQS4AiQOA5cr5BT4xNTj45U=
> > =G16M
> > -----END PGP SIGNATURE-----
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba
mailing list