[Samba] Change Password after expired
Charles-Henri Falconnet
charles-henri.falconnet at univ-fcomte.fr
Wed May 11 15:42:59 UTC 2016
Hello,
Yes I can change password at next logon. I check in ADUC and the option
of the account has been unticked. My users can retrieve a new password
by themselves.
I'll try password expiry in 2 days.
Charles
Le 11/05/2016 17:10, Carlos A. P. Cunha a écrit :
> Hello!
> You can now change the password for the User when even this expired
> password or "next logon"?
> PS: With the active account, was already working the password change.
> Hug.
>
>
> Em 11-05-2016 07:17, Charles-Henri Falconnet escreveu:
>> It works now for all my web apps !
>> If you have a AC.pem, juste rename in AC.crt (update-ca-certificates
>> recognizes only crt files, man update-ca-certificates)
>> Thank you Louis.
>>
>> Le 11/05/2016 10:45, L.P.H. van Belle a écrit :
>>> I dont know LTB or what it exact is, but
>>>
>>> Add in /etc/ldap/ldap.conf
>>> TLS_REQCERT allow
>>>
>>> Setup your own "rootCA" like this.
>>> ( if not done, apt-get install ca-certificates )
>>>
>>> mkdir -p /usr/local/share/ca-certificates/chrono
>>> mv /etc/ssl/ca_chrono-dom.lan.pem
>>> /usr/local/share/ca-certificates/chrono
>>> update-ca-certificates
>>>
>>> ! MUST BE /usr/local/share/ca-certificates else its not picked up
>>> with the
>>> update-ca-certificates command.
>>>
>>> you should see:
>>> update-ca-certificates
>>> Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
>>> Running hooks in /etc/ca-certificates/update.d....done.
>>>
>>> And correct this back :
>>> TLS_CACERT /etc/ssl/certs/ca-certificates.crt
>>>
>>> Now after done above your CA Cert is hashed in /etc/ssl/certs
>>> And its added in /etc/ssl/certs/ca-certificates.crt
>>>
>>> Do this and try again and let us know the result.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Charles-Henri
>>>> Falconnet
>>>> Verzonden: woensdag 11 mei 2016 10:03
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Change Password after expired
>>>>
>>>> Hi list,
>>>>
>>>> Same wish here!
>>>> I'd like my users to change their password using LTB (great tool) but
>>>> since 4.2.10 (debian jessie) I lost the connection to samba4.
>>>> I tried using TLS and port 636 in LTB's config.inc.php with a
>>>> dedicated
>>>> user and put the self signed AC from private/tls but it didn't work.
>>>> Before the upgrade, i was on samba 4.1.17 (debian jessie) and simple
>>>> bind on port 389 for LTB and it worked great.
>>>> I read https://www.samba.org/samba/history/samba-4.2.10.html and
>>>> the apt
>>>> listchanges of Andrew Bartlett
>>>>
>>>> I'm stuck since the upgrade. I tried to change the new parameters to
>>>> downgrade security but it didn't work (and i don't want less
>>>> security).
>>>> The active directory works, users can authenticate and access a
>>>> separate
>>>> member files server.
>>>>
>>>> My smb.conf
>>>>
>>>> [global]
>>>> workgroup = CHRONO-DOM
>>>> realm = CHRONO-DOM.LAN
>>>> netbios name = DMZ-PVE-SRV9
>>>> server role = active directory domain controller
>>>> dns forwarder = xxx.xxx.xxx.xxx
>>>> idmap_ldb:use rfc2307 = yes
>>>> load printers = no
>>>> printing = bsd
>>>> printcap name = /dev/null
>>>> disable spoolss = yes
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 2000-2999
>>>> idmap config CHRONO-DOM : backend = ad
>>>> idmap config CHRONO-DOM : range = 10000-29999
>>>> winbind nss info = rfc2307
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> acl map full control = yes
>>>> syslog = 0
>>>> log level = 7 auth:10 winbind:10
>>>> tls verify peer = ca_only
>>>>
>>>> [netlogon]
>>>> path = /var/lib/samba/sysvol/chrono-dom.lan/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /var/lib/samba/sysvol
>>>> read only = No
>>>>
>>>> On the LAMP server with LTB Self Service Password and other web apps i
>>>> configure the ldap.conf with
>>>> TLS_CACERT /etc/ssl/ca_chrono-dom.lan.pem
>>>> TLS_REQCERT never
>>>> and the read mode bit for other
>>>>
>>>> With openssl s_client -showcerts -connect
>>>> dmz-pve-srv9.chrono-dom.lan:636
>>>> or openssl s_client -CAfile <path to the self signed CA> -showcerts
>>>> -connect dmz-pve-srv9.chrono-dom.lan:636
>>>> returns Verify return code: 18 (self signed certificate) but i don't
>>>> think that can be a problem.
>>>>
>>>> I appreciate some help.
>>>>
>>>> Charles
>>>>
>>>>
>>>> Le 10/05/2016 21:41, Rowland penny a écrit :
>>>>> On 10/05/16 20:11, Carlos A. P. Cunha wrote:
>>>>>> In some customer yes, but they are with LTSP (pxe boot) where
>>>>>> another
>>>>>> use graphical interface, but would rather have a web interface to
>>>>>> change the password.
>>>>>> This tambpem would be used for windows stations off the field.
>>>>>>
>>>>>>
>>>>>>
>>>>> What is wrong with the 'LTB Self Service Password' program ??
>>>>>
>>>>> Did you configure 'config.inc.php' correctly ?
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>>
>
More information about the samba
mailing list