Re: [Samba] URGENT winbind - New DOMAIN but old DOMAIN not CHANGING - Resent
Hi Buchan, Thanks for your reply. I've just finished reading it. I'm happy to say, I managed to get it working a few hours ago. Seems to have been a firewall issue. Could you suggest what winbind/samba/kerberos ports should be allowed in and out. I'm not a big fan of running squid and winbind on the firewall, but management want it there for now. (IP addresses removed) Here are my rules # Winbind ACCEPT$FW locudp 1024: 137 ACCEPTloc $FW udp 1024: 137 ACCEPT $FW loc udp 88,137,138,139,88,749,389 - ACCEPT $FW loc tcp 749,88,137:139,88,389 - I have been using samba for (kerberos/ADS last year; On Mandrake for 5 or six years) years, everywhere I go I introduce it. It's solid. Thanks doing good samba builds including posix support and Thank to the samba team. Thanks. Chris Buchan Milne wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Chris, I am the samba maintainer for Mandrake ... so I may be able to help. I am not sure on the timezone issues ... but if you're still up, I can join you somewhere on IRC or if you have jabber you can get me at [EMAIL PROTECTED] Anyway, see below ... | | Hi, | | | | We just imported (moved) all our staff from the old w2k domain to the | new w2k3 domain. Say their accounts and passwords | From STAFF domain to say NEW. Seems winbind is keeping the old domain | users. This server was serving the STAFF domain w/o problems before users were migrated. | | Domain is in 2000 native mode. | | | I'm using winbind for squid auth on Mandrake linux 10.0 | | samba-client-3.0.10-0.1.100mdk | samba-winbind-3.0.10-0.1.100mdk | samba-doc-3.0.10-0.1.100mdk | samba-common-3.0.10-0.1.100mdk | samba-server-3.0.10-0.1.100mdk | | | When I do a wbinfo -u | | I still get STAFF/chris | . | | etc | | I should get ADMIN/chris | | | | I have changed the win 2003 server admin passwd and joined the say | ADMIN domain and ADMIN.SJC realm. /etc/kerberos/* settings have been | changed also in the samba config. | | then rebooted, | | did kinit [EMAIL PROTECTED] | did klist | | Ticket cache: FILE:/tmp/krb5cc_0 | Default principal: [EMAIL PROTECTED] | | Valid starting ExpiresService principal | 01/13/05 00:00:27 01/13/05 10:01:16 krbtgt/[EMAIL PROTECTED] | renew until 01/14/05 00:00:27 | 01/13/05 00:01:59 01/13/05 10:01:16 [EMAIL PROTECTED] | renew until 01/14/05 00:00:27 | | | Kerberos 4 ticket cache: /tmp/tkt0 | klist: You have no tickets cached | | Did net ads join -U [EMAIL PROTECTED] | | | kadm5.acl | */[EMAIL PROTECTED] * | | Does this ticket look ok? the krbtgt record looks a little odd to me. | | | | I figure I should get ADMIN/chris, and I cannot see any entries for | STAFF realm left over. | I kdestroyed the ticket and recreated it, but no luck | | kdc.conf | | [kdcdefaults] | kdc_ports = 88 | acl_file = /etc/kerberos/krb5kdc/kadm5.acl | dict_file = /usr/share/dict/words | admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab | | [realms] | ADMIN.SJC = { | master_key_type = des3-cbc-sha1 | supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal | des-cbc-crc:v4 des-cbc-crc:afs3 | profile = /etc/krb5.conf | database_name = /etc/kerberos/krb5kdc/principal | admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb | admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock | admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab | acl_file = /etc/kerberos/krb5kdc/kadm5.acl | dict_file = /usr/share/dict/words | key_stash_file = /etc/kerberos/krb5kdc/.k5stash | kdc_ports = 88 | kadmind_port = 749 | max_life = 10h 0m 0s | max_renewable_life = 7d 0h 0m 0s | } | | | | krb5.conf | [libdefaults] | ticket_lifetime = 24000 | default_realm = ADMIN.SJC | default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 | default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 | permitted_enctypes = des3-hmac-sha1 des-cbc-crc I think you should remove at least this line, probably all the above. | dns_lookup_realm = false | dns_lookup_kdc = false You should be able to set that to true. | kdc_req_checksum_type = 2 | checksum_type = 2 | ccache_type = 1 | forwardable = true | proxiable = true | | [realms] | ADMIN.SJC = { | kdc = sun.admin.sjc:88 | admin_server = sun.admin.sjc:749 | kpasswd_server = sun.admin.sjc | default_domain = admin.sjc | } | | [domain_realm] | .admin.sjc = ADMIN.SJC | | [kdc] | profile = /etc/kerberos/krb5kdc/kdc.conf | | [pam] | debug = false | ticket_lifetime = 36000 | renew_lifetime = 36000 | forwardable = true | krb4_convert = false | | [login] | krb4_convert = false | krb4_get_tickets = false | | Bump up your samba logging to at least 3, and check the log.winbindd, I suspect you're probably getting the Could not verify incoming ticket problem. Also, you may want to stop samba, backup/remove the winbind cache files in /var/cache/samba, and restart samba. | Anyway the
Re: [Samba] URGENT winbind - New DOMAIN but old DOMAIN not CHANGING - Resent
Chris, Windows networking plus LDAP and Kerberos makes use of the following ports: 137 and 138 - UDP 88, 135, 139, 389, 445, 636 - TCP Check in your /etc/services file to see what each of these ports are used for. - John T. On Thursday 13 January 2005 03:53, Chris Welsh wrote: Hi Buchan, Thanks for your reply. I've just finished reading it. I'm happy to say, I managed to get it working a few hours ago. Seems to have been a firewall issue. Could you suggest what winbind/samba/kerberos ports should be allowed in and out. I'm not a big fan of running squid and winbind on the firewall, but management want it there for now. (IP addresses removed) Here are my rules # Winbind ACCEPT$FW locudp 1024: 137 ACCEPTloc $FW udp 1024: 137 ACCEPT $FW loc udp 88,137,138,139,88,749,389 - ACCEPT $FW loc tcp 749,88,137:139,88,389 - I have been using samba for (kerberos/ADS last year; On Mandrake for 5 or six years) years, everywhere I go I introduce it. It's solid. Thanks doing good samba builds including posix support and Thank to the samba team. Thanks. Chris Buchan Milne wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Chris, I am the samba maintainer for Mandrake ... so I may be able to help. I am not sure on the timezone issues ... but if you're still up, I can join you somewhere on IRC or if you have jabber you can get me at [EMAIL PROTECTED] Anyway, see below ... | Hi, | | | | We just imported (moved) all our staff from the old w2k domain to the | new w2k3 domain. Say their accounts and passwords | From STAFF domain to say NEW. Seems winbind is keeping the old domain | users. This server was serving the STAFF domain w/o problems before users were migrated. | Domain is in 2000 native mode. | | | I'm using winbind for squid auth on Mandrake linux 10.0 | | samba-client-3.0.10-0.1.100mdk | samba-winbind-3.0.10-0.1.100mdk | samba-doc-3.0.10-0.1.100mdk | samba-common-3.0.10-0.1.100mdk | samba-server-3.0.10-0.1.100mdk | | | When I do a wbinfo -u | | I still get STAFF/chris | . | | etc | | I should get ADMIN/chris | | | | I have changed the win 2003 server admin passwd and joined the say | ADMIN domain and ADMIN.SJC realm. /etc/kerberos/* settings have been | changed also in the samba config. | | then rebooted, | | did kinit [EMAIL PROTECTED] | did klist | | Ticket cache: FILE:/tmp/krb5cc_0 | Default principal: [EMAIL PROTECTED] | | Valid starting ExpiresService principal | 01/13/05 00:00:27 01/13/05 10:01:16 krbtgt/[EMAIL PROTECTED] | renew until 01/14/05 00:00:27 | 01/13/05 00:01:59 01/13/05 10:01:16 [EMAIL PROTECTED] | renew until 01/14/05 00:00:27 | | | Kerberos 4 ticket cache: /tmp/tkt0 | klist: You have no tickets cached | | Did net ads join -U [EMAIL PROTECTED] | | | kadm5.acl | */[EMAIL PROTECTED] * | | Does this ticket look ok? the krbtgt record looks a little odd to me. | | | | I figure I should get ADMIN/chris, and I cannot see any entries for | STAFF realm left over. | I kdestroyed the ticket and recreated it, but no luck | | kdc.conf | | [kdcdefaults] | kdc_ports = 88 | acl_file = /etc/kerberos/krb5kdc/kadm5.acl | dict_file = /usr/share/dict/words | admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab | | [realms] | ADMIN.SJC = { | master_key_type = des3-cbc-sha1 | supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal | des-cbc-crc:v4 des-cbc-crc:afs3 | profile = /etc/krb5.conf | database_name = /etc/kerberos/krb5kdc/principal | admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb | admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock | admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab | acl_file = /etc/kerberos/krb5kdc/kadm5.acl | dict_file = /usr/share/dict/words | key_stash_file = /etc/kerberos/krb5kdc/.k5stash | kdc_ports = 88 | kadmind_port = 749 | max_life = 10h 0m 0s | max_renewable_life = 7d 0h 0m 0s | } | | | | krb5.conf | [libdefaults] | ticket_lifetime = 24000 | default_realm = ADMIN.SJC | default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 | default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 | permitted_enctypes = des3-hmac-sha1 des-cbc-crc I think you should remove at least this line, probably all the above. | dns_lookup_realm = false | dns_lookup_kdc = false You should be able to set that to true. | kdc_req_checksum_type = 2 | checksum_type = 2 | ccache_type = 1 | forwardable = true | proxiable = true | | [realms] | ADMIN.SJC = { | kdc = sun.admin.sjc:88 | admin_server = sun.admin.sjc:749 | kpasswd_server = sun.admin.sjc | default_domain =
[Samba] URGENT winbind - New DOMAIN but old DOMAIN not CHANGING - Resent
Hi, We just imported (moved) all our staff from the old w2k domain to the new w2k3 domain. Say their accounts and passwords From STAFF domain to say NEW. Seems winbind is keeping the old domain users. This server was serving the STAFF domain w/o problems before users were migrated. Domain is in 2000 native mode. I'm using winbind for squid auth on Mandrake linux 10.0 samba-client-3.0.10-0.1.100mdk samba-winbind-3.0.10-0.1.100mdk samba-doc-3.0.10-0.1.100mdk samba-common-3.0.10-0.1.100mdk samba-server-3.0.10-0.1.100mdk When I do a wbinfo -u I still get STAFF/chris . etc I should get ADMIN/chris I have changed the win 2003 server admin passwd and joined the say ADMIN domain and ADMIN.SJC realm. /etc/kerberos/* settings have been changed also in the samba config. then rebooted, did kinit [EMAIL PROTECTED] did klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 01/13/05 00:00:27 01/13/05 10:01:16 krbtgt/[EMAIL PROTECTED] renew until 01/14/05 00:00:27 01/13/05 00:01:59 01/13/05 10:01:16 [EMAIL PROTECTED] renew until 01/14/05 00:00:27 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Did net ads join -U [EMAIL PROTECTED] kadm5.acl */[EMAIL PROTECTED] * Does this ticket look ok? the krbtgt record looks a little odd to me. I figure I should get ADMIN/chris, and I cannot see any entries for STAFF realm left over. I kdestroyed the ticket and recreated it, but no luck kdc.conf [kdcdefaults] kdc_ports = 88 acl_file = /etc/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab [realms] ADMIN.SJC = { master_key_type = des3-cbc-sha1 supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 profile = /etc/krb5.conf database_name = /etc/kerberos/krb5kdc/principal admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab acl_file = /etc/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words key_stash_file = /etc/kerberos/krb5kdc/.k5stash kdc_ports = 88 kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } krb5.conf [libdefaults] ticket_lifetime = 24000 default_realm = ADMIN.SJC default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true [realms] ADMIN.SJC = { kdc = sun.admin.sjc:88 admin_server = sun.admin.sjc:749 kpasswd_server = sun.admin.sjc default_domain = admin.sjc } [domain_realm] .admin.sjc = ADMIN.SJC [kdc] profile = /etc/kerberos/krb5kdc/kdc.conf [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false [login] krb4_convert = false krb4_get_tickets = false Anyway the users cannot auth through out proxy because of this. Can anyone help. I have to get this fixed by the morning before staff arrive. Thanks Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba