[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
Mark Foley
mfoley at ohprs.org
Fri Jan 15 05:21:42 UTC 2016
On January 14, 2016 at 12:16 Rowland Penny wrote:
> Using 'passwd' does work, but pam has to be setup correctly and you
> cannot change the password on the first day unless you change the
> minimum password age to '0'
You answer piles of questions on this list, so you may not remember, but you helped me set this
whole domain-member/single logon thing last October. The only thing you had me change with the
as-installed PAM configuration was to add to /etc/pam.d/common-account:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0002
I also found I needed to change a line in /etc/pam.d/common-password to:
password [success=3 default=ignore] pam_krb5.so minimum_uid=10000
(instead of minimum_uid=1000) in order to have my non-domain local users be able to change
their passwords using passwd.
If there is a PAM file I can post to verify it's correctness, I'd be happy to do that.
> OK, I use Mate on debian wheezy and after a bit of testing, I have found
> that you can change a users AD password with the gdm3 login manager.
I will investigate gmd3 and post back results. I am using Cinnamon on Ubuntu 15.10, but I
suppose it should work.
Thanks for your response!
--Mark
-----Original Message-----
> To: samba at lists.samba.org
> From: Rowland penny <rpenny at samba.org>
> Date: Thu, 14 Jan 2016 12:16:22 +0000
> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On,
>
> On 14/01/16 09:36, Rowland penny wrote:
> > On 14/01/16 05:54, Mark Foley wrote:
> >> Hmmm, this message is a week old and nothing?
> >>
> >> I know many of you have domain member hosts in your domain and surely
> >> are logging in as domain
> >> users authenticating with the Samba4 AD/DC, right?
> >>
> >> How do you change your password without having the domain
> >> Administrator do it for you?
> >>
> >> --Mark
> >>
> >> -----Original Message-----
> >> From: Mark Foley <mfoley at ohprs.org>
> >> Date: Fri, 08 Jan 2016 12:10:16 -0500
> >> To: samba at lists.samba.org
> >> Subject: [Samba] Samba AD/DC, Single-Sign-On,
> >> domain users cannot change password
> >>
> >> I have successfully joined my Linux/Ubuntu workstation to the Samaba
> >> AD/DC domain thanks to
> >> help from Rowland Penny.
> >>
> >> Now I face an interesting problem ... Domain users cannot change
> >> their password.
> >>
> >> Domain users can successfully login to the Linux workstation using
> >> their domain credentials,
> >> but when the user tries to change the password using "Passwords and
> >> Keys" from the desktop
> >> utility, it does nothing.
> >>
> >> Trying to change the password from a terminal session using `passwd`
> >> gives the prompt: "Current
> >> Kerberos password:" but entering the current domain password is not
> >> accepted and the prompt repeats.
> >>
> >> If the Domain Administrator set the user's account to "User must
> >> change password at next
> >> login", or if the domain policy expires passwords after so-many days,
> >> the user cannot log into
> >> the Linux workstations -- the display manager login dialog spins for
> >> several minutes, then
> >> shows, "Invalid password, please try again."
> >>
> >> This is serious. How does a domain user change his own password?
> >>
> >> HELP!
> >>
> >> --Mark
> >>
> >
> > Using 'passwd' does work, but pam has to be setup correctly and you
> > cannot change the password on the first day unless you change the
> > minimum password age to '0'
> >
> > Changing the password at login has nothing to do with Samba (provided
> > you can change it from the CLI, see above), it is down to your login
> > manager.
> >
> > Rowland
> >
> >
>
> OK, I use Mate on debian wheezy and after a bit of testing, I have found
> that you can change a users AD password with the gdm3 login manager.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list