[Samba] Lock accounts with SAMBA
Hi, I'm a busy sysadmin locking and unlocking user accounts. I'd like to be able to do it from my linux -kerberos enabled samba workstation. I can easily use net commands to see if a user's account is locked in the ADS. How do I actually lock it from within samba. I've written a user management system at the school that does lots of things, I'd like it to be able to do this using Linux. So any advice, would be great fully appreciated. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] pulling userinfo from trusted domain RE-POST
Sorry to repeat this but I had no answers. Anyone up for a chat about this. More info: wbinfo -m returns nothing wbinfo -t , wbinfo -u wbinfo -g returns users for the primary (Staff Domain, but not the student domain). I'm sure I had it returning info from both primary and secondary domains when the servers were windows 2000 servers earlier this year, So I believe winbind should be able to do the job. Oh, I have fixed the clock skew issue, but that did nothing to help. Hi, I'm trying to pull user info from a student domain. I can pull a user's info from a primary domain ok, but not from the domain (student) that trusts the primary domain. Lets say the primary is staff and secondary is student. Student trusts staff, but staff does not trust student. /usr/bin/net ads search ((objectCategory=person) (sAMAccountName=foo)) -P -I 192.168.0.2 The command tries to pull out the users ldap account info. I'm interested in seeing if the user's account is locked or not. (514 or 512) It works on the staff domain for staff users, so I know the syntax is ok. Any way of doing this? Error back is clock skew, I will check the server times tomorrow. I'm using Mandrake linux 10.1 samba v3.0.2a ADS server 2003K SP1 ADS and kerberos mode. Is there a simple samba command that will lock or unlock a user's account. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] pulling userinfo from trusted domain
Hi, I'm trying to pull user info from a student domain. I can pull a user's info from a primary domain ok, but not from the domain (student) that trusts the primary domain. Lets say the primary is staff and secondary is student. Student trusts staff, but staff does not trust student. /usr/bin/net ads search ((objectCategory=person) (sAMAccountName=foo)) -P -I 192.168.0.2 The command tries to pull out the users ldap account info. I'm interested in seeing if the user's account is locked or not. (514 or 512) It works on the staff domain for staff users, so I know the syntax is ok. Any way of doing this? Error back is clock skew, I will check the server times tomorrow. I'm using Mandrake linux 10.1 samba v3.0.2a ADS server 2003K SP1 ADS and kerberos mode. Is there a simple samba command that will lock or unlock a user's account. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind - New DOMAIN but old DOMAIN not CHANGING .URGENT
Hi, We just imported (moved) all our staff from the old w2k domain to the new w2k3 domain. Say their accounts and passwords From STAFF domain to say NEW. Seems winbind is keeping the old domain users. I'm using winbind for squid auth on Mandrake linux 10.0 samba-client-3.0.10-0.1.100mdk samba-winbind-3.0.10-0.1.100mdk samba-doc-3.0.10-0.1.100mdk samba-common-3.0.10-0.1.100mdk samba-server-3.0.10-0.1.100mdk When I do a wbinfo -u I still get STAFF/chris . etc I should get ADMIN/chris I have changed the win 2003 server admin passwd and joined the say ADMIN domain and ADMIN.SJC realm. /etc/kerberos/* settings have been changed also in the samba config. then rebooted, did kinit [EMAIL PROTECTED] did klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 01/13/05 00:00:27 01/13/05 10:01:16 krbtgt/[EMAIL PROTECTED] renew until 01/14/05 00:00:27 01/13/05 00:01:59 01/13/05 10:01:16 [EMAIL PROTECTED] renew until 01/14/05 00:00:27 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Did net ads join -U [EMAIL PROTECTED] kadm5.acl */[EMAIL PROTECTED] * Does this ticket look ok? the krbtgt record looks a little odd to me. I figure I should get ADMIN/chris, and I cannot see any entries for STAFF realm left over. I kdestroyed the ticket and recreated it, but no luck kdc.conf [kdcdefaults] kdc_ports = 88 acl_file = /etc/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab [realms] ADMIN.SJC = { master_key_type = des3-cbc-sha1 supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 profile = /etc/krb5.conf database_name = /etc/kerberos/krb5kdc/principal admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab acl_file = /etc/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words key_stash_file = /etc/kerberos/krb5kdc/.k5stash kdc_ports = 88 kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } krb5.conf [libdefaults] ticket_lifetime = 24000 default_realm = ADMIN.SJC default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true [realms] ADMIN.SJC = { kdc = sun.admin.sjc:88 admin_server = sun.admin.sjc:749 kpasswd_server = sun.admin.sjc default_domain = admin.sjc } [domain_realm] .admin.sjc = ADMIN.SJC [kdc] profile = /etc/kerberos/krb5kdc/kdc.conf [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false [login] krb4_convert = false krb4_get_tickets = false Anyway the users cannot auth through out proxy because of this. Can anyone help. I have to get this fixed by the morning before staff arrive. Thanks Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] URGENT winbind - New DOMAIN but old DOMAIN not CHANGING - Resent
Hi, We just imported (moved) all our staff from the old w2k domain to the new w2k3 domain. Say their accounts and passwords From STAFF domain to say NEW. Seems winbind is keeping the old domain users. This server was serving the STAFF domain w/o problems before users were migrated. Domain is in 2000 native mode. I'm using winbind for squid auth on Mandrake linux 10.0 samba-client-3.0.10-0.1.100mdk samba-winbind-3.0.10-0.1.100mdk samba-doc-3.0.10-0.1.100mdk samba-common-3.0.10-0.1.100mdk samba-server-3.0.10-0.1.100mdk When I do a wbinfo -u I still get STAFF/chris . etc I should get ADMIN/chris I have changed the win 2003 server admin passwd and joined the say ADMIN domain and ADMIN.SJC realm. /etc/kerberos/* settings have been changed also in the samba config. then rebooted, did kinit [EMAIL PROTECTED] did klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 01/13/05 00:00:27 01/13/05 10:01:16 krbtgt/[EMAIL PROTECTED] renew until 01/14/05 00:00:27 01/13/05 00:01:59 01/13/05 10:01:16 [EMAIL PROTECTED] renew until 01/14/05 00:00:27 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Did net ads join -U [EMAIL PROTECTED] kadm5.acl */[EMAIL PROTECTED] * Does this ticket look ok? the krbtgt record looks a little odd to me. I figure I should get ADMIN/chris, and I cannot see any entries for STAFF realm left over. I kdestroyed the ticket and recreated it, but no luck kdc.conf [kdcdefaults] kdc_ports = 88 acl_file = /etc/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab [realms] ADMIN.SJC = { master_key_type = des3-cbc-sha1 supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 profile = /etc/krb5.conf database_name = /etc/kerberos/krb5kdc/principal admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab acl_file = /etc/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words key_stash_file = /etc/kerberos/krb5kdc/.k5stash kdc_ports = 88 kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } krb5.conf [libdefaults] ticket_lifetime = 24000 default_realm = ADMIN.SJC default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true [realms] ADMIN.SJC = { kdc = sun.admin.sjc:88 admin_server = sun.admin.sjc:749 kpasswd_server = sun.admin.sjc default_domain = admin.sjc } [domain_realm] .admin.sjc = ADMIN.SJC [kdc] profile = /etc/kerberos/krb5kdc/kdc.conf [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false [login] krb4_convert = false krb4_get_tickets = false Anyway the users cannot auth through out proxy because of this. Can anyone help. I have to get this fixed by the morning before staff arrive. Thanks Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Anyone Pls? Domain function levels, etc
Andrew, Thanks for your reply. I've been a little confused, as I have been finding conflicting info on the net. For example. An extract from this article - http://www.thechannelinsider.com/article2/0,1759,1647348,00.asp: Quote You can run Samba 3 with an AD server running native mode. In this mode, you can run Samba 3, W2K (Windows 2000) server and Server 2003. You cannot, however, run Samba 3 in Server 2003 mode, a superset of native mode, which requires that all servers be running Server 2003. End Quote Your thoughts? Andrew Bartlett wrote: On Sat, 2005-01-01 at 21:24 +1100, Christopher Peter Welsh wrote: Hi, I have resent this, as I have had no replies so far. I'm gonna have to be putting a good argument to my ICT team against going to 2003 in 2003 server mode ( I think thats what they call the highest mode for 2003 server) to keep samba at our school. I like what windows 2003 has to offer, but do not want to lock samba out forever. I know samba will work at lower mode. And that's what I'm pushing. Can people chip in with some arguments and advice. What is the highest 2003 mode (forest and domain) that we can go to and still have samba function as a member file server? I don't know of any limits, so long as Samba is configured correctly. Is there really better security in that higher 2003 mode? What in particular? There are many things broken security wise in NT, and the compatability interfaces with it (mostly regarding anonymous access). Will winbind (ADS and kerb mode) break? As we use it for squid auth, etc. I don't think so, but you really should be doing your own functional testing, on a test network. How long before SAMBA can work at the highest level with 2003? I don't know of any outstanding issues, but I'll need much more detail on individual problems. I'm feeling that MS have provided some functional incentives to go with the highest mode. Can someone suggest some ways to take the hype out this higher level? I know from my reading, that once we make that jump, there is no turning back By slowly moving away from the NT domain modal, MS allows themselves to do some interesting and better things. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA - Domain function levels
Hi, I'm gonna have to be putting a good argument to my ICT team against going to 2003 in 2003 server mode ( I think thats what they call the highest mode for 2003 server) to keep samba at our school. I like what windows 2003 has to offer, but do not want to lock samba out forever. I know samba will work at lower mode. And that's what I'm pushing. Can people chip in with some arguments and advice. What is the highest 2003 mode (forest and domain) that we can go to and still have samba function as a member file server? What are the advantages for a school with only 2 domains and no geographical displacement in going to the highest 2003 server level (list of GPO advantages?, etc). We have the money to upgrade to 2003 on all our 22 servers. But could save money by mixing with samba and 2000. Is there really better security in that higher mode? What in particular? Will winbind (ADS and kerb mode) break? As we use it for squid auth, etc. How long before SAMBA can work at the highest level with 2003? I'm feeling that MS have provided some functional incentives to go with the highest mode. Can someone suggest some ways to take the hype out this higher level? I know from my reading, that once we make that jump, there is no turning back :-( Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba