Re: [Samba] URGENT winbind - New DOMAIN but old DOMAIN not CHANGING - Resent

2005-01-13 Thread Chris Welsh 
Hi Buchan,
Thanks for your reply. I've just finished reading it.
I'm happy to say, I managed to get it working a few hours ago. Seems to 
have been a firewall issue.

Could you suggest what winbind/samba/kerberos ports should be allowed in 
and out.

I'm not a big fan of running squid and winbind on the firewall, but 
management want it there for now.
(IP addresses removed)

Here are my rules
# Winbind
ACCEPT$FW   locudp  1024:  137
ACCEPTloc $FW udp  1024:  137
ACCEPT  $FW loc udp 88,137,138,139,88,749,389  -
ACCEPT  $FW loc tcp 749,88,137:139,88,389 -

I have been using samba for (kerberos/ADS last year; On Mandrake for 5 
or six years) years, everywhere I go I introduce it. It's solid.

Thanks doing good samba builds including posix support and Thank to the 
samba team.

Thanks.
Chris

Buchan Milne wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Chris,
I am the samba maintainer for Mandrake ... so I may be able to help.
I am not sure on the timezone issues ... but if you're still up, I can
join you somewhere on IRC or if you have jabber you can get me at
[EMAIL PROTECTED]
Anyway, see below ...
|
| Hi,
|
|
|
| We just imported (moved) all our staff from the old w2k domain to the
| new w2k3 domain. Say their accounts and passwords
|  From STAFF domain to say NEW. Seems winbind is keeping the old domain
| users. This server was serving the STAFF domain w/o problems before
users were migrated.
|
| Domain is in 2000 native mode.
|
|
| I'm using winbind for squid auth on Mandrake linux 10.0
|
| samba-client-3.0.10-0.1.100mdk
| samba-winbind-3.0.10-0.1.100mdk
| samba-doc-3.0.10-0.1.100mdk
| samba-common-3.0.10-0.1.100mdk
| samba-server-3.0.10-0.1.100mdk
|
|
| When I do a wbinfo -u
|
| I still get STAFF/chris
| .
| 
| etc
|
| I should get ADMIN/chris
|
|
|
| I have changed the win 2003 server admin passwd and joined the say
| ADMIN domain and ADMIN.SJC realm. /etc/kerberos/* settings have 
been
| changed also in the samba config.
|
| then rebooted,
|
| did kinit [EMAIL PROTECTED]
| did klist
|
| Ticket cache: FILE:/tmp/krb5cc_0
| Default principal: [EMAIL PROTECTED]
|
| Valid starting ExpiresService principal
| 01/13/05 00:00:27  01/13/05 10:01:16  krbtgt/[EMAIL PROTECTED]
| renew until 01/14/05 00:00:27
| 01/13/05 00:01:59  01/13/05 10:01:16  [EMAIL PROTECTED]
| renew until 01/14/05 00:00:27
|
|
| Kerberos 4 ticket cache: /tmp/tkt0
| klist: You have no tickets cached
|
| Did net ads join -U [EMAIL PROTECTED]
|
|
| kadm5.acl
| */[EMAIL PROTECTED]   *
|
| Does this ticket look ok? the krbtgt record looks a little odd to me.
|
|
|
| I figure I should get ADMIN/chris, and I cannot see any entries for
| STAFF realm left over.
| I kdestroyed the ticket and recreated it, but no luck
|
| kdc.conf
|
| [kdcdefaults]
|  kdc_ports = 88
|  acl_file = /etc/kerberos/krb5kdc/kadm5.acl
|  dict_file = /usr/share/dict/words
|  admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab
|
| [realms]
|  ADMIN.SJC = {
|   master_key_type = des3-cbc-sha1
|   supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal
| des-cbc-crc:v4 des-cbc-crc:afs3
|   profile = /etc/krb5.conf
|   database_name = /etc/kerberos/krb5kdc/principal
|   admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
|   admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
|   admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
|   acl_file = /etc/kerberos/krb5kdc/kadm5.acl
|   dict_file = /usr/share/dict/words
|   key_stash_file = /etc/kerberos/krb5kdc/.k5stash
|   kdc_ports = 88
|   kadmind_port = 749
|   max_life = 10h 0m 0s
|   max_renewable_life = 7d 0h 0m 0s
|  }
|
|
|
| krb5.conf
| [libdefaults]
|  ticket_lifetime = 24000
|  default_realm = ADMIN.SJC
|  default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
|  default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
|  permitted_enctypes = des3-hmac-sha1 des-cbc-crc

I think you should remove at least this line, probably all the above.
|  dns_lookup_realm = false
|  dns_lookup_kdc = false
You should be able to set that to true.
|  kdc_req_checksum_type = 2
|  checksum_type = 2
|  ccache_type = 1
|  forwardable = true
|  proxiable = true
|
| [realms]
|  ADMIN.SJC = {
|   kdc = sun.admin.sjc:88
|   admin_server = sun.admin.sjc:749
|   kpasswd_server = sun.admin.sjc
|   default_domain = admin.sjc
|  }
|
| [domain_realm]
|  .admin.sjc = ADMIN.SJC
|
| [kdc]
|  profile = /etc/kerberos/krb5kdc/kdc.conf
|
| [pam]
|  debug = false
|  ticket_lifetime = 36000
|  renew_lifetime = 36000
|  forwardable = true
|  krb4_convert = false
|
|  [login]
|  krb4_convert = false
|  krb4_get_tickets = false
|
|
Bump up your samba logging to at least 3, and check the log.winbindd, I
suspect you're probably getting the Could not verify incoming ticket
problem.
Also, you may want to stop samba, backup/remove the winbind cache files
in /var/cache/samba, and restart samba.
| Anyway the

Re: [Samba] URGENT winbind - New DOMAIN but old DOMAIN not CHANGING - Resent

2005-01-13 Thread John H Terpstra 
Chris,

Windows networking plus LDAP and Kerberos makes use of the following ports:

137 and 138 - UDP
88, 135, 139, 389, 445, 636 - TCP

Check in your /etc/services file to see what each of these ports are used for.

- John T.

On Thursday 13 January 2005 03:53, Chris Welsh wrote:
 Hi Buchan,


 Thanks for your reply. I've just finished reading it.
 I'm happy to say, I managed to get it working a few hours ago. Seems to
 have been a firewall issue.

 Could you suggest what winbind/samba/kerberos ports should be allowed in
 and out.


 I'm not a big fan of running squid and winbind on the firewall, but
 management want it there for now.
 (IP addresses removed)

 Here are my rules
 # Winbind
 ACCEPT$FW   locudp  1024:  137
 ACCEPTloc $FW udp  1024:  137
 ACCEPT  $FW loc udp 88,137,138,139,88,749,389  -
 ACCEPT  $FW loc tcp 749,88,137:139,88,389 -




 I have been using samba for (kerberos/ADS last year; On Mandrake for 5
 or six years) years, everywhere I go I introduce it. It's solid.

 Thanks doing good samba builds including posix support and Thank to the
 samba team.


 Thanks.
 Chris

 Buchan Milne wrote:
  -BEGIN PGP SIGNED MESSAGE-
  Hash: SHA1
 
  Hi Chris,
 
  I am the samba maintainer for Mandrake ... so I may be able to help.
 
  I am not sure on the timezone issues ... but if you're still up, I can
  join you somewhere on IRC or if you have jabber you can get me at
  [EMAIL PROTECTED]
 
  Anyway, see below ...
 
  | Hi,
  |
  |
  |
  | We just imported (moved) all our staff from the old w2k domain to the
  | new w2k3 domain. Say their accounts and passwords
  |  From STAFF domain to say NEW. Seems winbind is keeping the old domain
  | users. This server was serving the STAFF domain w/o problems before
 
  users were migrated.
 
  | Domain is in 2000 native mode.
  |
  |
  | I'm using winbind for squid auth on Mandrake linux 10.0
  |
  | samba-client-3.0.10-0.1.100mdk
  | samba-winbind-3.0.10-0.1.100mdk
  | samba-doc-3.0.10-0.1.100mdk
  | samba-common-3.0.10-0.1.100mdk
  | samba-server-3.0.10-0.1.100mdk
  |
  |
  | When I do a wbinfo -u
  |
  | I still get STAFF/chris
  | .
  | 
  | etc
  |
  | I should get ADMIN/chris
  |
  |
  |
  | I have changed the win 2003 server admin passwd and joined the say
  | ADMIN domain and ADMIN.SJC realm. /etc/kerberos/* settings have
 
  been
 
  | changed also in the samba config.
  |
  | then rebooted,
  |
  | did kinit [EMAIL PROTECTED]
  | did klist
  |
  | Ticket cache: FILE:/tmp/krb5cc_0
  | Default principal: [EMAIL PROTECTED]
  |
  | Valid starting ExpiresService principal
  | 01/13/05 00:00:27  01/13/05 10:01:16  krbtgt/[EMAIL PROTECTED]
  | renew until 01/14/05 00:00:27
  | 01/13/05 00:01:59  01/13/05 10:01:16  [EMAIL PROTECTED]
  | renew until 01/14/05 00:00:27
  |
  |
  | Kerberos 4 ticket cache: /tmp/tkt0
  | klist: You have no tickets cached
  |
  | Did net ads join -U [EMAIL PROTECTED]
  |
  |
  | kadm5.acl
  | */[EMAIL PROTECTED]   *
  |
  | Does this ticket look ok? the krbtgt record looks a little odd to me.
  |
  |
  |
  | I figure I should get ADMIN/chris, and I cannot see any entries for
  | STAFF realm left over.
  | I kdestroyed the ticket and recreated it, but no luck
  |
  | kdc.conf
  |
  | [kdcdefaults]
  |  kdc_ports = 88
  |  acl_file = /etc/kerberos/krb5kdc/kadm5.acl
  |  dict_file = /usr/share/dict/words
  |  admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab
  |
  | [realms]
  |  ADMIN.SJC = {
  |   master_key_type = des3-cbc-sha1
  |   supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal
  | des-cbc-crc:v4 des-cbc-crc:afs3
  |   profile = /etc/krb5.conf
  |   database_name = /etc/kerberos/krb5kdc/principal
  |   admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
  |   admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
  |   admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
  |   acl_file = /etc/kerberos/krb5kdc/kadm5.acl
  |   dict_file = /usr/share/dict/words
  |   key_stash_file = /etc/kerberos/krb5kdc/.k5stash
  |   kdc_ports = 88
  |   kadmind_port = 749
  |   max_life = 10h 0m 0s
  |   max_renewable_life = 7d 0h 0m 0s
  |  }
  |
  |
  |
  | krb5.conf
  | [libdefaults]
  |  ticket_lifetime = 24000
  |  default_realm = ADMIN.SJC
  |  default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
  |  default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
  |  permitted_enctypes = des3-hmac-sha1 des-cbc-crc
 
  I think you should remove at least this line, probably all the above.
 
  |  dns_lookup_realm = false
  |  dns_lookup_kdc = false
 
  You should be able to set that to true.
 
  |  kdc_req_checksum_type = 2
  |  checksum_type = 2
  |  ccache_type = 1
  |  forwardable = true
  |  proxiable = true
  |
  | [realms]
  |  ADMIN.SJC = {
  |   kdc = sun.admin.sjc:88
  |   admin_server = sun.admin.sjc:749
  |   kpasswd_server = sun.admin.sjc
  |   default_domain =

[Samba] URGENT winbind - New DOMAIN but old DOMAIN not CHANGING - Resent

2005-01-12 Thread Christopher Welsh 

Hi,

We just imported (moved) all our staff from the old w2k domain to the
new w2k3 domain. Say their accounts and passwords
 From STAFF domain to say NEW. Seems winbind is keeping the old domain
users. This server was serving the STAFF domain w/o problems before 
users were migrated.

Domain is in 2000 native mode.
I'm using winbind for squid auth on Mandrake linux 10.0
samba-client-3.0.10-0.1.100mdk
samba-winbind-3.0.10-0.1.100mdk
samba-doc-3.0.10-0.1.100mdk
samba-common-3.0.10-0.1.100mdk
samba-server-3.0.10-0.1.100mdk
When I do a wbinfo -u
I still get STAFF/chris
.

etc
I should get ADMIN/chris

I have changed the win 2003 server admin passwd and joined the say
ADMIN domain and ADMIN.SJC realm. /etc/kerberos/* settings have been
changed also in the samba config.
then rebooted,
did kinit [EMAIL PROTECTED]
did klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
01/13/05 00:00:27  01/13/05 10:01:16  krbtgt/[EMAIL PROTECTED]
renew until 01/14/05 00:00:27
01/13/05 00:01:59  01/13/05 10:01:16  [EMAIL PROTECTED]
renew until 01/14/05 00:00:27
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Did net ads join -U [EMAIL PROTECTED]
kadm5.acl
*/[EMAIL PROTECTED]   *
Does this ticket look ok? the krbtgt record looks a little odd to me.

I figure I should get ADMIN/chris, and I cannot see any entries for
STAFF realm left over.
I kdestroyed the ticket and recreated it, but no luck
kdc.conf
[kdcdefaults]
 kdc_ports = 88
 acl_file = /etc/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab
[realms]
 ADMIN.SJC = {
  master_key_type = des3-cbc-sha1
  supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
  profile = /etc/krb5.conf
  database_name = /etc/kerberos/krb5kdc/principal
  admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
  admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
  admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
  acl_file = /etc/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  key_stash_file = /etc/kerberos/krb5kdc/.k5stash
  kdc_ports = 88
  kadmind_port = 749
  max_life = 10h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
 }

krb5.conf
[libdefaults]
 ticket_lifetime = 24000
 default_realm = ADMIN.SJC
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
 permitted_enctypes = des3-hmac-sha1 des-cbc-crc
 dns_lookup_realm = false
 dns_lookup_kdc = false
 kdc_req_checksum_type = 2
 checksum_type = 2
 ccache_type = 1
 forwardable = true
 proxiable = true
[realms]
 ADMIN.SJC = {
  kdc = sun.admin.sjc:88
  admin_server = sun.admin.sjc:749
  kpasswd_server = sun.admin.sjc
  default_domain = admin.sjc
 }
[domain_realm]
 .admin.sjc = ADMIN.SJC
[kdc]
 profile = /etc/kerberos/krb5kdc/kdc.conf
[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false
 [login]
 krb4_convert = false
 krb4_get_tickets = false

Anyway the users cannot auth through out proxy because of this.
Can anyone help. I have to get this fixed by the morning before staff
arrive.
Thanks
Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba