[Samba] Lock accounts with SAMBA
Hi, I'm a busy sysadmin locking and unlocking user accounts. I'd like to be able to do it from my linux -kerberos enabled samba workstation. I can easily use net commands to see if a user's account is locked in the ADS. How do I actually lock it from within samba. I've written a user management system at the school that does lots of things, I'd like it to be able to do this using Linux. So any advice, would be great fully appreciated. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] pulling userinfo from trusted domain RE-POST
Sorry to repeat this but I had no answers. Anyone up for a chat about this. More info: wbinfo -m returns nothing wbinfo -t , wbinfo -u wbinfo -g returns users for the primary (Staff Domain, but not the student domain). I'm sure I had it returning info from both primary and secondary domains when the servers were windows 2000 servers earlier this year, So I believe winbind should be able to do the job. Oh, I have fixed the clock skew issue, but that did nothing to help. Hi, I'm trying to pull user info from a student domain. I can pull a user's info from a primary domain ok, but not from the domain (student) that trusts the primary domain. Lets say the primary is staff and secondary is student. Student trusts staff, but staff does not trust student. /usr/bin/net ads search ((objectCategory=person) (sAMAccountName=foo)) -P -I 192.168.0.2 The command tries to pull out the users ldap account info. I'm interested in seeing if the user's account is locked or not. (514 or 512) It works on the staff domain for staff users, so I know the syntax is ok. Any way of doing this? Error back is clock skew, I will check the server times tomorrow. I'm using Mandrake linux 10.1 samba v3.0.2a ADS server 2003K SP1 ADS and kerberos mode. Is there a simple samba command that will lock or unlock a user's account. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] pulling userinfo from trusted domain
Hi, I'm trying to pull user info from a student domain. I can pull a user's info from a primary domain ok, but not from the domain (student) that trusts the primary domain. Lets say the primary is staff and secondary is student. Student trusts staff, but staff does not trust student. /usr/bin/net ads search ((objectCategory=person) (sAMAccountName=foo)) -P -I 192.168.0.2 The command tries to pull out the users ldap account info. I'm interested in seeing if the user's account is locked or not. (514 or 512) It works on the staff domain for staff users, so I know the syntax is ok. Any way of doing this? Error back is clock skew, I will check the server times tomorrow. I'm using Mandrake linux 10.1 samba v3.0.2a ADS server 2003K SP1 ADS and kerberos mode. Is there a simple samba command that will lock or unlock a user's account. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind - New DOMAIN but old DOMAIN not CHANGING .URGENT
Hi,
We just imported (moved) all our staff from the old w2k domain to the
new w2k3 domain. Say their accounts and passwords
From STAFF domain to say NEW. Seems winbind is keeping the old domain
users.
I'm using winbind for squid auth on Mandrake linux 10.0
samba-client-3.0.10-0.1.100mdk
samba-winbind-3.0.10-0.1.100mdk
samba-doc-3.0.10-0.1.100mdk
samba-common-3.0.10-0.1.100mdk
samba-server-3.0.10-0.1.100mdk
When I do a wbinfo -u
I still get STAFF/chris
.
etc
I should get ADMIN/chris
I have changed the win 2003 server admin passwd and joined the say
ADMIN domain and ADMIN.SJC realm. /etc/kerberos/* settings have been
changed also in the samba config.
then rebooted,
did kinit [EMAIL PROTECTED]
did klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
01/13/05 00:00:27 01/13/05 10:01:16 krbtgt/[EMAIL PROTECTED]
renew until 01/14/05 00:00:27
01/13/05 00:01:59 01/13/05 10:01:16 [EMAIL PROTECTED]
renew until 01/14/05 00:00:27
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Did net ads join -U [EMAIL PROTECTED]
kadm5.acl
*/[EMAIL PROTECTED] *
Does this ticket look ok? the krbtgt record looks a little odd to me.
I figure I should get ADMIN/chris, and I cannot see any entries for
STAFF realm left over.
I kdestroyed the ticket and recreated it, but no luck
kdc.conf
[kdcdefaults]
kdc_ports = 88
acl_file = /etc/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab
[realms]
ADMIN.SJC = {
master_key_type = des3-cbc-sha1
supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
profile = /etc/krb5.conf
database_name = /etc/kerberos/krb5kdc/principal
admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
acl_file = /etc/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
key_stash_file = /etc/kerberos/krb5kdc/.k5stash
kdc_ports = 88
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
krb5.conf
[libdefaults]
ticket_lifetime = 24000
default_realm = ADMIN.SJC
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
[realms]
ADMIN.SJC = {
kdc = sun.admin.sjc:88
admin_server = sun.admin.sjc:749
kpasswd_server = sun.admin.sjc
default_domain = admin.sjc
}
[domain_realm]
.admin.sjc = ADMIN.SJC
[kdc]
profile = /etc/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
[login]
krb4_convert = false
krb4_get_tickets = false
Anyway the users cannot auth through out proxy because of this.
Can anyone help. I have to get this fixed by the morning before staff
arrive.
Thanks
Chris
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] URGENT winbind - New DOMAIN but old DOMAIN not CHANGING - Resent
Hi,
We just imported (moved) all our staff from the old w2k domain to the
new w2k3 domain. Say their accounts and passwords
From STAFF domain to say NEW. Seems winbind is keeping the old domain
users. This server was serving the STAFF domain w/o problems before
users were migrated.
Domain is in 2000 native mode.
I'm using winbind for squid auth on Mandrake linux 10.0
samba-client-3.0.10-0.1.100mdk
samba-winbind-3.0.10-0.1.100mdk
samba-doc-3.0.10-0.1.100mdk
samba-common-3.0.10-0.1.100mdk
samba-server-3.0.10-0.1.100mdk
When I do a wbinfo -u
I still get STAFF/chris
.
etc
I should get ADMIN/chris
I have changed the win 2003 server admin passwd and joined the say
ADMIN domain and ADMIN.SJC realm. /etc/kerberos/* settings have been
changed also in the samba config.
then rebooted,
did kinit [EMAIL PROTECTED]
did klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
01/13/05 00:00:27 01/13/05 10:01:16 krbtgt/[EMAIL PROTECTED]
renew until 01/14/05 00:00:27
01/13/05 00:01:59 01/13/05 10:01:16 [EMAIL PROTECTED]
renew until 01/14/05 00:00:27
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Did net ads join -U [EMAIL PROTECTED]
kadm5.acl
*/[EMAIL PROTECTED] *
Does this ticket look ok? the krbtgt record looks a little odd to me.
I figure I should get ADMIN/chris, and I cannot see any entries for
STAFF realm left over.
I kdestroyed the ticket and recreated it, but no luck
kdc.conf
[kdcdefaults]
kdc_ports = 88
acl_file = /etc/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab
[realms]
ADMIN.SJC = {
master_key_type = des3-cbc-sha1
supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
profile = /etc/krb5.conf
database_name = /etc/kerberos/krb5kdc/principal
admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
acl_file = /etc/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
key_stash_file = /etc/kerberos/krb5kdc/.k5stash
kdc_ports = 88
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
krb5.conf
[libdefaults]
ticket_lifetime = 24000
default_realm = ADMIN.SJC
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
[realms]
ADMIN.SJC = {
kdc = sun.admin.sjc:88
admin_server = sun.admin.sjc:749
kpasswd_server = sun.admin.sjc
default_domain = admin.sjc
}
[domain_realm]
.admin.sjc = ADMIN.SJC
[kdc]
profile = /etc/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
[login]
krb4_convert = false
krb4_get_tickets = false
Anyway the users cannot auth through out proxy because of this.
Can anyone help. I have to get this fixed by the morning before staff
arrive.
Thanks
Chris
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Anyone Pls? Domain function levels, etc
Andrew, Thanks for your reply. I've been a little confused, as I have been finding conflicting info on the net. For example. An extract from this article - http://www.thechannelinsider.com/article2/0,1759,1647348,00.asp: Quote You can run Samba 3 with an AD server running native mode. In this mode, you can run Samba 3, W2K (Windows 2000) server and Server 2003. You cannot, however, run Samba 3 in Server 2003 mode, a superset of native mode, which requires that all servers be running Server 2003. End Quote Your thoughts? Andrew Bartlett wrote: On Sat, 2005-01-01 at 21:24 +1100, Christopher Peter Welsh wrote: Hi, I have resent this, as I have had no replies so far. I'm gonna have to be putting a good argument to my ICT team against going to 2003 in 2003 server mode ( I think thats what they call the highest mode for 2003 server) to keep samba at our school. I like what windows 2003 has to offer, but do not want to lock samba out forever. I know samba will work at lower mode. And that's what I'm pushing. Can people chip in with some arguments and advice. What is the highest 2003 mode (forest and domain) that we can go to and still have samba function as a member file server? I don't know of any limits, so long as Samba is configured correctly. Is there really better security in that higher 2003 mode? What in particular? There are many things broken security wise in NT, and the compatability interfaces with it (mostly regarding anonymous access). Will winbind (ADS and kerb mode) break? As we use it for squid auth, etc. I don't think so, but you really should be doing your own functional testing, on a test network. How long before SAMBA can work at the highest level with 2003? I don't know of any outstanding issues, but I'll need much more detail on individual problems. I'm feeling that MS have provided some functional incentives to go with the highest mode. Can someone suggest some ways to take the hype out this higher level? I know from my reading, that once we make that jump, there is no turning back By slowly moving away from the NT domain modal, MS allows themselves to do some interesting and better things. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA - Domain function levels
Hi, I'm gonna have to be putting a good argument to my ICT team against going to 2003 in 2003 server mode ( I think thats what they call the highest mode for 2003 server) to keep samba at our school. I like what windows 2003 has to offer, but do not want to lock samba out forever. I know samba will work at lower mode. And that's what I'm pushing. Can people chip in with some arguments and advice. What is the highest 2003 mode (forest and domain) that we can go to and still have samba function as a member file server? What are the advantages for a school with only 2 domains and no geographical displacement in going to the highest 2003 server level (list of GPO advantages?, etc). We have the money to upgrade to 2003 on all our 22 servers. But could save money by mixing with samba and 2000. Is there really better security in that higher mode? What in particular? Will winbind (ADS and kerb mode) break? As we use it for squid auth, etc. How long before SAMBA can work at the highest level with 2003? I'm feeling that MS have provided some functional incentives to go with the highest mode. Can someone suggest some ways to take the hype out this higher level? I know from my reading, that once we make that jump, there is no turning back :-( Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
