Re: [PacketFence-users] Periodically losing domain trust
I am also having the same problem as the guy in this post
http://www.mail-archive.com/packetfence-users%40lists.sourceforge.net/msg09749.html
where the DNS entry is changed to the 169.#.#.# address of the domain virtual
NIC.
I'm starting to wonder if the problem I'm having losing domain trust is related
to the dynamic DNS issue. Maybe fixing the dynamic DNS problem will fix the
losing trust problem.
I'm going to try this
http://www.mail-archive.com/packetfence-users%40lists.sourceforge.net/msg09751.html
to see if it fixes both.
Here are my krb5.conf and smb.conf files:
vi krb5.conf
[libdefaults]
default_realm = MGA.EDU
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[libdefaults]
default_realm = MGA.EDU
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
MGA.EDU = {
kdc = dc.mga.edu
admin_server = dc.mga.edu
default_domain = MGA.EDU
}
[domain_realm]
MGA.EDU = MGA.EDU
.MGA.EDU = MGA.EDU
[login]
krb4_convert = true
krb4_get_tickets = false
vi MGADomain.conf
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = MGA
realm = MGA.EDU
netbios name = packetfence
server string = packetfence
pid directory = /usr/local/pf/var/run
lock directory = /var/cache/sambaMGADomain
private dir = /var/cache/sambaMGADomain
security = ADS
winbind use default domain = no
idmap uid = 600-2
idmap gid = 600-2
template shell = /bin/bash
winbind expand groups = 10
password server = dc.mga.edu
domain master = no
local master = no
preferred master = no
inherit permissions = yes
admin users = @MGA\domain admins
hide files = /~*/Thumbs.db/desktop.ini/ntuser.ini/NTUSER.*/SMax.*/
veto files = /lost+found/
allow trusted domains = yes
# No printers on this host
show add printer wizard = no
disable spoolss = yes
load printers = no
printing = bsd
printcap name = /dev/null
# No usershares here
usershare max shares = 0
# By default no guests and invisible
browseable = no
guest ok = no
#interfaces = 169.254.0.1
#bind interfaces only = yes
Joel
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Radius debug mode
Sorry if this is a dumb question, but couldn't find the answer in the archives. How do I run radius in debug mode? #radiusd -X -d /usr/local/pf/raddb gives radiusd not found error. I'm running PF 5.3.1 on Ubuntu 12.04. Thanks, Todd -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Radius debug mode
perhaps you are using freeradius? freeradius -X -d /usr/local/pf/raddb On 8/25/2015 15:46, Todd Bergstrom wrote: Sorry if this is a dumb question, but couldn’t find the answer in the archives. How do I run radius in debug mode? #radiusd –X –d /usr/local/pf/raddb gives radiusd not found error. I’m running PF 5.3.1 on Ubuntu 12.04. Thanks, Todd -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Periodically losing domain trust
I use DDNS and have no problem, but for my dc's in packet fence I define each
one via ip.
I run Ubuntu 12.04 LTS with the stock samba. (round robin is broken for samba)
The only issue I have is that winbindd will lockup if I restart the primary DC
because of a known bug but then I just go in to packet fence and kill off the
locked up process and restart it. You might want to use a static entry for your
packet fence in DNS. It sounds more like you are having a scavenging issue at 7
days.
Thanks
Eric Tedder
-Original Message-
From: Morgan, Joel P. [mailto:joel.mor...@mga.edu]
Sent: Tuesday, August 25, 2015 10:03 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Periodically losing domain trust
I am also having the same problem as the guy in this post
http://www.mail-archive.com/packetfence-users%40lists.sourceforge.net/msg09749.html
where the DNS entry is changed to the 169.#.#.# address of the domain virtual
NIC.
I'm starting to wonder if the problem I'm having losing domain trust is related
to the dynamic DNS issue. Maybe fixing the dynamic DNS problem will fix the
losing trust problem.
I'm going to try this
http://www.mail-archive.com/packetfence-users%40lists.sourceforge.net/msg09751.html
to see if it fixes both.
Here are my krb5.conf and smb.conf files:
vi krb5.conf
[libdefaults]
default_realm = MGA.EDU
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos # if
uncommented. In general, the defaults in the MIT Kerberos code are # correct
and overriding these specifications only serves to disable new # encryption
types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change # the
enctypes is if you have local software that will break on ticket # caches
containing ticket encryption types it doesn't know about (such as # old
versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[libdefaults]
default_realm = MGA.EDU
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos # if
uncommented. In general, the defaults in the MIT Kerberos code are # correct
and overriding these specifications only serves to disable new # encryption
types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change # the
enctypes is if you have local software that will break on ticket # caches
containing ticket encryption types it doesn't know about (such as # old
versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
MGA.EDU = {
kdc = dc.mga.edu
admin_server = dc.mga.edu
default_domain = MGA.EDU
}
[domain_realm]
MGA.EDU = MGA.EDU
.MGA.EDU = MGA.EDU
[login]
krb4_convert = true
krb4_get_tickets = false
vi MGADomain.conf
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = MGA realm = MGA.EDU
netbios name = packetfence
server string = packetfence
pid directory = /usr/local/pf/var/run
lock directory = /var/cache/sambaMGADomain private dir =
/var/cache/sambaMGADomain
security = ADS
winbind use default domain = no
idmap uid = 600-2
idmap gid = 600-2
template shell = /bin/bash
winbind expand groups = 10
password server = dc.mga.edu
domain master = no
local master = no
preferred master = no
inherit permissions = yes
admin users = @MGA\domain admins
hide files = /~*/Thumbs.db/desktop.ini/ntuser.ini/NTUSER.*/SMax.*/
veto files = /lost+found/
allow trusted domains = yes
# No printers on this host
show add printer wizard = no
disable spoolss = yes
load printers = no
printing = bsd
printcap name = /dev/null
# No usershares here
[PacketFence-users] packetfence with one interface
Hi folks, to have a little bit of practice at home, I would like to install packetfence on a spare Metal at home. The main challengeis, that the server has only one interface and there is only a typical home all in one router (wlan,lan and Internet via dsl to the isp), which does not support VLAN tagging. As this breaks the actual installation manuals, have you any setup hints for me? Regards, Holger -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Radius debug mode
Yes, that is it. Thank you very much!! Todd -Original Message- From: heupink [mailto:heup...@gmail.com] Sent: Tuesday, August 25, 2015 9:35 AM To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Radius debug mode perhaps you are using freeradius? freeradius -X -d /usr/local/pf/raddb On 8/25/2015 15:46, Todd Bergstrom wrote: Sorry if this is a dumb question, but couldn't find the answer in the archives. How do I run radius in debug mode? #radiusd -X -d /usr/local/pf/raddb gives radiusd not found error. I'm running PF 5.3.1 on Ubuntu 12.04. Thanks, Todd -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
