Hi,
We just imported (moved) all our staff from the old w2k domain to the new w2k3 domain. Say their accounts and passwords
From STAFF domain to say NEW. Seems winbind is keeping the old domain users.
I'm using winbind for squid auth on Mandrake linux 10.0
samba-client-3.0.10-0.1.100mdk samba-winbind-3.0.10-0.1.100mdk samba-doc-3.0.10-0.1.100mdk samba-common-3.0.10-0.1.100mdk samba-server-3.0.10-0.1.100mdk
When I do a wbinfo -u
I still get STAFF/chris ..... .... etc
I should get ADMIN/chris
I have changed the win 2003 server admin passwd and joined the say "ADMIN" domain and "ADMIN.SJC" realm. /etc/kerberos/* settings have been changed also in the samba config.
then rebooted,
did kinit [EMAIL PROTECTED] did klist
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
01/13/05 00:00:27 01/13/05 10:01:16 krbtgt/[EMAIL PROTECTED]
renew until 01/14/05 00:00:27
01/13/05 00:01:59 01/13/05 10:01:16 [EMAIL PROTECTED]
renew until 01/14/05 00:00:27
Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Did net ads join -U [EMAIL PROTECTED]
kadm5.acl */[EMAIL PROTECTED] *
Does this ticket look ok? the krbtgt record looks a little odd to me.
I figure I should get ADMIN/chris, and I cannot see any entries for STAFF realm left over.
I kdestroyed the ticket and recreated it, but no luck
kdc.conf
[kdcdefaults] kdc_ports = 88 acl_file = /etc/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab
[realms]
ADMIN.SJC = {
master_key_type = des3-cbc-sha1
supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
profile = /etc/krb5.conf
database_name = /etc/kerberos/krb5kdc/principal
admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
acl_file = /etc/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
key_stash_file = /etc/kerberos/krb5kdc/.k5stash
kdc_ports = 88
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
krb5.conf [libdefaults] ticket_lifetime = 24000 default_realm = ADMIN.SJC default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true
[realms]
ADMIN.SJC = {
kdc = sun.admin.sjc:88
admin_server = sun.admin.sjc:749
kpasswd_server = sun.admin.sjc
default_domain = admin.sjc
}[domain_realm] .admin.sjc = ADMIN.SJC
[kdc] profile = /etc/kerberos/krb5kdc/kdc.conf
[pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
[login] krb4_convert = false krb4_get_tickets = false
Anyway the users cannot auth through out proxy because of this.
Can anyone help. I have to get this fixed by the morning before staff arrive.
Thanks Chris
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
