winbind cross forest trust
Stefan Metzmacher
metze at samba.org
Thu Apr 6 12:59:04 UTC 2017
Hi Amit,
> Can you assist me in this:
>
> I am trying to change password by setting "Change password on next login in AD".
> Winbind version: samba-winbind-4.2.10-7.el7_2.x86_64
>
> *Failing Scenario*
> +----------------------------+ +--------------------+
> | ABC1/test-user-abc | +----------------> |XYZ1 |
> | Users' AD forest | |Resources AD forest |
> | (Single domain) | <----------------+ |(Single domain) |
> | | | |
> +----------------------------+ 2-Way +-------+------------+
> Trust ^
> | AD-Join(winbind)
> |
> +----+------+
> |RHEL |
> |Machine |
> |Winbind |
> +-----------+
>
> *Issue is*: From RHEL-client when I try to change password of user present in ABC1/test-user-abc. It fails
>
> *Success*: From RHEL i can change password of user present in XYZ1.
>
> *Query*:
> Is it a bug in samba-winbind or some configs I may be missing.
Maybe it's related to https://bugzilla.samba.org/show_bug.cgi?id=11830
and https://bugzilla.samba.org/show_bug.cgi?id=12605
which got recently fixed, the fixes are in 4.4.11, 4.5.6.
The next 4.6 bugfix release (most likely 4.6.3) will also get the fixes.
It would be good if you could try to reproduce this with a more recent
version,
which include the fixes.
In the long run we should change winbindd to open a short term
connection with
the users credentials in order to change the password. As using the
machine account may not work reliable to connect to DC of the users domain.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170406/456fb78d/signature.sig>
More information about the samba-technical
mailing list