[Samba] Winbind - Login succeeds while password is expired (set with --must-change-at-next-login)
Rowland penny
rpenny at samba.org
Thu Apr 22 21:36:56 UTC 2021
On 22/04/2021 21:45, Kees van Vloten wrote:
> On 22-04-2021 22:31, Rowland penny via samba wrote:
>> On 22/04/2021 21:11, Kees van Vloten via samba wrote:
>>> Hi,
>>>
>>> I have freshly setup 2 lxc containers with Samba 4.13 on Debian
>>> Buster (installed from apt.van-belle.nl/debian).
>>> The first runs samba-ad-dc, the second has samba + winbind and has
>>> joined the AD domain.
>>>
>>> A domain user is created with samba-tool with the option
>>> --must-change-at-next-login. A login with the user succeeds the
>>> first time some interesting output:
>>>
>>> kvv at bach:~$ ssh grieg
>>> kvv at grieg's password:
>>> Password expired. You must change it now.
>>> Password change rejected: Try a more complex password, or contact
>>> your administrator.. Please try again.
>>>
>>> Password change rejected: Try a more complex password, or contact
>>> your administrator.. Please try again.
>>>
>>> Your password has expired
>>> Linux grieg 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19)
>>> x86_64
>>
>>
>> I think you have run into this bug:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=14622
>>
>> Rowland
>>
>>
>>
> Hi Rowland,
>
> I am not sure that bug is applicable since I have no ssh-keys
> configured on the user.
>
> The bug says that scenario does work with SSSD, I have actually tried
> SSSD before winbind. SSSD is different, it does present a change
> password sequence let's me change it (it does get changed in AD as
> well) but at the next login it wants me to change it again and it
> continues to do so, i.e. I cannot login.
>
> --
> Kees van Vloten
>
I was really referring to the fact that winbind and PAM do not really
work for anything but authentication (you can login via ssh with a
disabled user) and, as far as I am aware, you cannot change a users
password via winbind. I just don't think there is the code to do what
you are trying, but I am very willing to be proved wrong.
Rowland
More information about the samba
mailing list