[Samba] Password Must Change using SSSD in Samba 4.1.10

Rowland Penny rowlandpenny at googlemail.com
Wed Jan 7 03:11:10 MST 2015 

On 07/01/15 10:04, Ashish Yadav wrote:
> Hi,
>
> I am trying to implement the *password must change at next logon* in CentOS
> 6.5 client using sssd 1.11.6 where Samba 4.1.10 is my backend server.
>
> Here are the list of things which I have done,
>
> 1. I have setup the CentOS to do the Domain login using sssd service. I can
> able to login into the CentOS client using Domain user's credentials from
> display
> and from SSH also, no problem at all.
>
> 2. Next thing which I want to implement is that password must change
> feature into Samba 4.1.10 server. To do that, I have been using Windows 7
> ultimate
> which is already in Domain and I am using RSAT tools for users and groups
> where I have a option to check "password must change at next logon" option
> for particular user.
> After doing that Windows machine is honoring this and telling user to
> change the password and allowing user to login after changing the password.
>
> 3. As far as the CentOS client is concerned, it was not honoring the
> password must change and allowing user to login without asking for password
> change using sssd with current password.
>
> Here is the configuration file of sssd service,
>
> [sssd]
> config_file_version = 2
> services = nss, pam
> domains = EXAMPLE
> sbus_timeout = 30
>
> [nss]
> filter_users = root
> filter_groups = root
> reconnection_retries = 3
>
> [pam]
> reconnection_retries = 3
> offline_credentials_expiration = 0
>
> [domain/EXAMPLE]
> entry_cache_timeout = 600
> entry_cache_group_timeout = 600
> min_id = 1000
> id_provider = ldap
> auth_provider = krb5
> chpass_provider = krb5
> ldap_schema = rfc2307bis
> ldap_uri = ldap://smbad.intra.example.com:390/
> ldap_search_base = dc=intra,dc=example,dc=com
> cache_credentials = true
> krb5_server = smbad.intra.example.com:8880
> krb5_realm= INTRA.EXAMPLE.COM
>
> ldap_default_bind_dn = cn=admin,dc=intra,dc=example,dc=com
>
> ldap_default_authtok_type = password
> ldap_default_authtok = 6pNEn7Eo3zmz9MxciGLx
>
> 4. I have also tried to achieve above thing using command line tool
> "pdbedit" but without any luck. Here is the link <
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbeditthing
> which I have followed.
>
> Please share your thoughts in order to help me and move forward to solve
> this problem.
>
> Thanks very much and regards,
> Ashishkumar S. Yadav

Hi, you may have more chance of getting this resolved if you take it to 
the sssd mailing list, by your own admission, samba4 is working, so it 
is probably an sssd problem, sssd is not part of samba.

Rowland

More information about the samba mailing list