[Samba] URGENT winbind - New DOMAIN but old DOMAIN not CHANGING - Resent

John H Terpstra jht at Samba.Org
Thu Jan 13 15:27:31 GMT 2005 

Chris,

Windows networking plus LDAP and Kerberos makes use of the following ports:

137 and 138 - UDP
88, 135, 139, 389, 445, 636 - TCP

Check in your /etc/services file to see what each of these ports are used for.

- John T.

On Thursday 13 January 2005 03:53, Chris Welsh wrote:
> Hi Buchan,
>
>
> Thanks for your reply. I've just finished reading it.
> I'm happy to say, I managed to get it working a few hours ago. Seems to
> have been a firewall issue.
>
> Could you suggest what winbind/samba/kerberos ports should be allowed in
> and out.
>
>
> I'm not a big fan of running squid and winbind on the firewall, but
> management want it there for now.
> (IP addresses removed)
>
> Here are my rules
> # Winbind
> ACCEPT    $FW       loc    udp      1024:          137
> ACCEPT    loc     $FW     udp      1024:          137
> ACCEPT  $FW     loc     udp     88,137,138,139,88,749,389      -
> ACCEPT  $FW     loc     tcp     749,88,137:139,88,389     -
>
>
>
>
> I have been using samba for (kerberos/ADS last year; On Mandrake for 5
> or six years) years, everywhere I go I introduce it. It's solid.
>
> Thanks doing good samba builds including posix support and Thank to the
> samba team.
>
>
> Thanks.
> Chris
>
> Buchan Milne wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi Chris,
> >
> > I am the samba maintainer for Mandrake ... so I may be able to help.
> >
> > I am not sure on the timezone issues ... but if you're still up, I can
> > join you somewhere on IRC or if you have jabber you can get me at
> > bgmilne at jabber.obsidian.co.za
> >
> > Anyway, see below ...
> >
> > | Hi,
> > |
> > |
> > |
> > | We just imported (moved) all our staff from the old w2k domain to the
> > | new w2k3 domain. Say their accounts and passwords
> > |  From STAFF domain to say NEW. Seems winbind is keeping the old domain
> > | users. This server was serving the STAFF domain w/o problems before
> >
> > users were migrated.
> >
> > | Domain is in 2000 native mode.
> > |
> > |
> > | I'm using winbind for squid auth on Mandrake linux 10.0
> > |
> > | samba-client-3.0.10-0.1.100mdk
> > | samba-winbind-3.0.10-0.1.100mdk
> > | samba-doc-3.0.10-0.1.100mdk
> > | samba-common-3.0.10-0.1.100mdk
> > | samba-server-3.0.10-0.1.100mdk
> > |
> > |
> > | When I do a wbinfo -u
> > |
> > | I still get STAFF/chris
> > | .....
> > | ....
> > | etc
> > |
> > | I should get ADMIN/chris
> > |
> > |
> > |
> > | I have changed the win 2003 server admin passwd and joined the say
> > | "ADMIN" domain and "ADMIN.SJC" realm. /etc/kerberos/* settings have
> >
> > been
> >
> > | changed also in the samba config.
> > |
> > | then rebooted,
> > |
> > | did kinit administrator at ADMIN.SJC
> > | did klist
> > |
> > | Ticket cache: FILE:/tmp/krb5cc_0
> > | Default principal: administrator at ADMIN.SJC
> > |
> > | Valid starting     Expires            Service principal
> > | 01/13/05 00:00:27  01/13/05 10:01:16  krbtgt/ADMIN.SJC at ADMIN.SJC
> > |         renew until 01/14/05 00:00:27
> > | 01/13/05 00:01:59  01/13/05 10:01:16  sun$@ADMIN.SJC
> > |         renew until 01/14/05 00:00:27
> > |
> > |
> > | Kerberos 4 ticket cache: /tmp/tkt0
> > | klist: You have no tickets cached
> > |
> > | Did net ads join -U administrator at ADMIN.SJC
> > |
> > |
> > | kadm5.acl
> > | */administartor at ADMIN.SJC       *
> > |
> > | Does this ticket look ok? the krbtgt record looks a little odd to me.
> > |
> > |
> > |
> > | I figure I should get ADMIN/chris, and I cannot see any entries for
> > | STAFF realm left over.
> > | I kdestroyed the ticket and recreated it, but no luck
> > |
> > | kdc.conf
> > |
> > | [kdcdefaults]
> > |  kdc_ports = 88
> > |  acl_file = /etc/kerberos/krb5kdc/kadm5.acl
> > |  dict_file = /usr/share/dict/words
> > |  admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab
> > |
> > | [realms]
> > |  ADMIN.SJC = {
> > |   master_key_type = des3-cbc-sha1
> > |   supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal
> > | des-cbc-crc:v4 des-cbc-crc:afs3
> > |   profile = /etc/krb5.conf
> > |   database_name = /etc/kerberos/krb5kdc/principal
> > |   admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
> > |   admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
> > |   admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
> > |   acl_file = /etc/kerberos/krb5kdc/kadm5.acl
> > |   dict_file = /usr/share/dict/words
> > |   key_stash_file = /etc/kerberos/krb5kdc/.k5stash
> > |   kdc_ports = 88
> > |   kadmind_port = 749
> > |   max_life = 10h 0m 0s
> > |   max_renewable_life = 7d 0h 0m 0s
> > |  }
> > |
> > |
> > |
> > | krb5.conf
> > | [libdefaults]
> > |  ticket_lifetime = 24000
> > |  default_realm = ADMIN.SJC
> > |  default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> > |  default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> > |  permitted_enctypes = des3-hmac-sha1 des-cbc-crc
> >
> > I think you should remove at least this line, probably all the above.
> >
> > |  dns_lookup_realm = false
> > |  dns_lookup_kdc = false
> >
> > You should be able to set that to true.
> >
> > |  kdc_req_checksum_type = 2
> > |  checksum_type = 2
> > |  ccache_type = 1
> > |  forwardable = true
> > |  proxiable = true
> > |
> > | [realms]
> > |  ADMIN.SJC = {
> > |   kdc = sun.admin.sjc:88
> > |   admin_server = sun.admin.sjc:749
> > |   kpasswd_server = sun.admin.sjc
> > |   default_domain = admin.sjc
> > |  }
> > |
> > | [domain_realm]
> > |  .admin.sjc = ADMIN.SJC
> > |
> > | [kdc]
> > |  profile = /etc/kerberos/krb5kdc/kdc.conf
> > |
> > | [pam]
> > |  debug = false
> > |  ticket_lifetime = 36000
> > |  renew_lifetime = 36000
> > |  forwardable = true
> > |  krb4_convert = false
> > |
> > |  [login]
> > |  krb4_convert = false
> > |  krb4_get_tickets = false
> >
> > Bump up your samba logging to at least 3, and check the log.winbindd, I
> > suspect you're probably getting the "Could not verify incoming ticket"
> > problem.
> >
> > Also, you may want to stop samba, backup/remove the winbind cache files
> > in /var/cache/samba, and restart samba.
> >
> > | Anyway the users cannot auth through out proxy because of this.
> > | Can anyone help. I have to get this fixed by the morning before staff
> > | arrive.
> >
> > Hope this helps.
> >
> > BTW, also check:
> > http://www.billboswellconsulting.com/addl_Linux_Info_authenticating_mandr
> >ake.html
> >
> >
> > (although there are some other errors, see the changes made to krb5.conf)
> >
> > Regards,
> > Buchan
> >
> > - --
> > Buchan Milne                      Senior Support Technician
> > Obsidian Systems                  http://www.obsidian.co.za
> > B.Eng                                RHCE (803004789010797)
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.4 (GNU/Linux)
> > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> >
> > iD8DBQFB5kMTrJK6UGDSBKcRAndZAJ9tt+JSmwsLo0BC6uhxzker68tDxACgoQpB
> > QQS4AiQOA5cr5BT4xNTj45U=
> > =G16M
> > -----END PGP SIGNATURE-----

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list