samba - Jan 2005 - URGENT winbind - New DOMAIN but old DOMAIN not CHANGING - Resent

Hi,



We just imported (moved) all our staff from the old w2k domain to the
new w2k3 domain. Say their accounts and passwords
  From STAFF domain to say NEW. Seems winbind is keeping the old domain
users. This server was serving the STAFF domain w/o problems before 
users were migrated.

Domain is in 2000 native mode.


I'm using winbind for squid auth on Mandrake linux 10.0

samba-client-3.0.10-0.1.100mdk
samba-winbind-3.0.10-0.1.100mdk
samba-doc-3.0.10-0.1.100mdk
samba-common-3.0.10-0.1.100mdk
samba-server-3.0.10-0.1.100mdk


When I do a wbinfo -u

I still get STAFF/chris
.....
....
etc

I should get ADMIN/chris



I have changed the win 2003 server admin passwd and joined the say
"ADMIN" domain and "ADMIN.SJC" realm. /etc/kerberos/*
settings have been
changed also in the samba config.

then rebooted,

did kinit administrator@ADMIN.SJC
did klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@ADMIN.SJC

Valid starting     Expires            Service principal
01/13/05 00:00:27  01/13/05 10:01:16  krbtgt/ADMIN.SJC@ADMIN.SJC
         renew until 01/14/05 00:00:27
01/13/05 00:01:59  01/13/05 10:01:16  sun$@ADMIN.SJC
         renew until 01/14/05 00:00:27


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Did net ads join -U administrator@ADMIN.SJC


kadm5.acl
*/administartor@ADMIN.SJC       *

Does this ticket look ok? the krbtgt record looks a little odd to me.



I figure I should get ADMIN/chris, and I cannot see any entries for
STAFF realm left over.
I kdestroyed the ticket and recreated it, but no luck

kdc.conf

[kdcdefaults]
  kdc_ports = 88
  acl_file = /etc/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab

[realms]
  ADMIN.SJC = {
   master_key_type = des3-cbc-sha1
   supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
   profile = /etc/krb5.conf
   database_name = /etc/kerberos/krb5kdc/principal
   admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
   admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
   admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
   acl_file = /etc/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   key_stash_file = /etc/kerberos/krb5kdc/.k5stash
   kdc_ports = 88
   kadmind_port = 749
   max_life = 10h 0m 0s
   max_renewable_life = 7d 0h 0m 0s
  }



krb5.conf
[libdefaults]
  ticket_lifetime = 24000
  default_realm = ADMIN.SJC
  default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
  default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
  permitted_enctypes = des3-hmac-sha1 des-cbc-crc
  dns_lookup_realm = false
  dns_lookup_kdc = false
  kdc_req_checksum_type = 2
  checksum_type = 2
  ccache_type = 1
  forwardable = true
  proxiable = true

[realms]
  ADMIN.SJC = {
   kdc = sun.admin.sjc:88
   admin_server = sun.admin.sjc:749
   kpasswd_server = sun.admin.sjc
   default_domain = admin.sjc
  }

[domain_realm]
  .admin.sjc = ADMIN.SJC

[kdc]
  profile = /etc/kerberos/krb5kdc/kdc.conf

[pam]
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false

  [login]
  krb4_convert = false
  krb4_get_tickets = false




Anyway the users cannot auth through out proxy because of this.
Can anyone help. I have to get this fixed by the morning before staff
arrive.

Thanks
Chris

Hi Buchan,


Thanks for your reply. I've just finished reading it.
I'm happy to say, I managed to get it working a few hours ago. Seems to 
have been a firewall issue.

Could you suggest what winbind/samba/kerberos ports should be allowed in 
and out.


I'm not a big fan of running squid and winbind on the firewall, but 
management want it there for now.
(IP addresses removed)

Here are my rules
# Winbind
ACCEPT    $FW       loc    udp      1024:          137
ACCEPT    loc     $FW     udp      1024:          137
ACCEPT  $FW     loc     udp     88,137,138,139,88,749,389      -
ACCEPT  $FW     loc     tcp     749,88,137:139,88,389     -




I have been using samba for (kerberos/ADS last year; On Mandrake for 5 
or six years) years, everywhere I go I introduce it. It's solid.

Thanks doing good samba builds including posix support and Thank to the 
samba team.


Thanks.
Chris




Buchan Milne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Chris,
>
> I am the samba maintainer for Mandrake ... so I may be able to help.
>
> I am not sure on the timezone issues ... but if you're still up, I can
> join you somewhere on IRC or if you have jabber you can get me at
> bgmilne@jabber.obsidian.co.za
>
> Anyway, see below ...
>
>
> |
> | Hi,
> |
> |
> |
> | We just imported (moved) all our staff from the old w2k domain to the
> | new w2k3 domain. Say their accounts and passwords
> |  From STAFF domain to say NEW. Seems winbind is keeping the old domain
> | users. This server was serving the STAFF domain w/o problems before
> users were migrated.
> |
> | Domain is in 2000 native mode.
> |
> |
> | I'm using winbind for squid auth on Mandrake linux 10.0
> |
> | samba-client-3.0.10-0.1.100mdk
> | samba-winbind-3.0.10-0.1.100mdk
> | samba-doc-3.0.10-0.1.100mdk
> | samba-common-3.0.10-0.1.100mdk
> | samba-server-3.0.10-0.1.100mdk
> |
> |
> | When I do a wbinfo -u
> |
> | I still get STAFF/chris
> | .....
> | ....
> | etc
> |
> | I should get ADMIN/chris
> |
> |
> |
> | I have changed the win 2003 server admin passwd and joined the say
> | "ADMIN" domain and "ADMIN.SJC" realm. /etc/kerberos/*
settings have
> been
> | changed also in the samba config.
> |
> | then rebooted,
> |
> | did kinit administrator@ADMIN.SJC
> | did klist
> |
> | Ticket cache: FILE:/tmp/krb5cc_0
> | Default principal: administrator@ADMIN.SJC
> |
> | Valid starting     Expires            Service principal
> | 01/13/05 00:00:27  01/13/05 10:01:16  krbtgt/ADMIN.SJC@ADMIN.SJC
> |         renew until 01/14/05 00:00:27
> | 01/13/05 00:01:59  01/13/05 10:01:16  sun$@ADMIN.SJC
> |         renew until 01/14/05 00:00:27
> |
> |
> | Kerberos 4 ticket cache: /tmp/tkt0
> | klist: You have no tickets cached
> |
> | Did net ads join -U administrator@ADMIN.SJC
> |
> |
> | kadm5.acl
> | */administartor@ADMIN.SJC       *
> |
> | Does this ticket look ok? the krbtgt record looks a little odd to me.
> |
> |
> |
> | I figure I should get ADMIN/chris, and I cannot see any entries for
> | STAFF realm left over.
> | I kdestroyed the ticket and recreated it, but no luck
> |
> | kdc.conf
> |
> | [kdcdefaults]
> |  kdc_ports = 88
> |  acl_file = /etc/kerberos/krb5kdc/kadm5.acl
> |  dict_file = /usr/share/dict/words
> |  admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab
> |
> | [realms]
> |  ADMIN.SJC = {
> |   master_key_type = des3-cbc-sha1
> |   supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal
> | des-cbc-crc:v4 des-cbc-crc:afs3
> |   profile = /etc/krb5.conf
> |   database_name = /etc/kerberos/krb5kdc/principal
> |   admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
> |   admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
> |   admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
> |   acl_file = /etc/kerberos/krb5kdc/kadm5.acl
> |   dict_file = /usr/share/dict/words
> |   key_stash_file = /etc/kerberos/krb5kdc/.k5stash
> |   kdc_ports = 88
> |   kadmind_port = 749
> |   max_life = 10h 0m 0s
> |   max_renewable_life = 7d 0h 0m 0s
> |  }
> |
> |
> |
> | krb5.conf
> | [libdefaults]
> |  ticket_lifetime = 24000
> |  default_realm = ADMIN.SJC
> |  default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> |  default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
> |  permitted_enctypes = des3-hmac-sha1 des-cbc-crc
>
> I think you should remove at least this line, probably all the above.
>
> |  dns_lookup_realm = false
> |  dns_lookup_kdc = false
>
> You should be able to set that to true.
>
> |  kdc_req_checksum_type = 2
> |  checksum_type = 2
> |  ccache_type = 1
> |  forwardable = true
> |  proxiable = true
> |
> | [realms]
> |  ADMIN.SJC = {
> |   kdc = sun.admin.sjc:88
> |   admin_server = sun.admin.sjc:749
> |   kpasswd_server = sun.admin.sjc
> |   default_domain = admin.sjc
> |  }
> |
> | [domain_realm]
> |  .admin.sjc = ADMIN.SJC
> |
> | [kdc]
> |  profile = /etc/kerberos/krb5kdc/kdc.conf
> |
> | [pam]
> |  debug = false
> |  ticket_lifetime = 36000
> |  renew_lifetime = 36000
> |  forwardable = true
> |  krb4_convert = false
> |
> |  [login]
> |  krb4_convert = false
> |  krb4_get_tickets = false
> |
> |
>
> Bump up your samba logging to at least 3, and check the log.winbindd, I
> suspect you're probably getting the "Could not verify incoming
ticket"
> problem.
>
> Also, you may want to stop samba, backup/remove the winbind cache files
> in /var/cache/samba, and restart samba.
>
> | Anyway the users cannot auth through out proxy because of this.
> | Can anyone help. I have to get this fixed by the morning before staff
> | arrive.
>
> Hope this helps.
>
> BTW, also check:
>
http://www.billboswellconsulting.com/addl_Linux_Info_authenticating_mandrake.html
>
>
> (although there are some other errors, see the changes made to krb5.conf)
>
> Regards,
> Buchan
>
> - --
> Buchan Milne                      Senior Support Technician
> Obsidian Systems                  http://www.obsidian.co.za
> B.Eng                                RHCE (803004789010797)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFB5kMTrJK6UGDSBKcRAndZAJ9tt+JSmwsLo0BC6uhxzker68tDxACgoQpB
> QQS4AiQOA5cr5BT4xNTj45U> =G16M
> -----END PGP SIGNATURE-----
>
>