[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
rpenny at samba.org
Thu Jan 14 12:16:22 UTC 2016
On 14/01/16 09:36, Rowland penny wrote:
> On 14/01/16 05:54, Mark Foley wrote:
>> Hmmm, this message is a week old and nothing?
>> I know many of you have domain member hosts in your domain and surely
>> are logging in as domain
>> users authenticating with the Samba4 AD/DC, right?
>> How do you change your password without having the domain
>> Administrator do it for you?
>> -----Original Message-----
>> From: Mark Foley <mfoley at ohprs.org>
>> Date: Fri, 08 Jan 2016 12:10:16 -0500
>> To: samba at lists.samba.org
>> Subject: [Samba] Samba AD/DC, Single-Sign-On,
>> domain users cannot change password
>> I have successfully joined my Linux/Ubuntu workstation to the Samaba
>> AD/DC domain thanks to
>> help from Rowland Penny.
>> Now I face an interesting problem ... Domain users cannot change
>> their password.
>> Domain users can successfully login to the Linux workstation using
>> their domain credentials,
>> but when the user tries to change the password using "Passwords and
>> Keys" from the desktop
>> utility, it does nothing.
>> Trying to change the password from a terminal session using `passwd`
>> gives the prompt: "Current
>> Kerberos password:" but entering the current domain password is not
>> accepted and the prompt repeats.
>> If the Domain Administrator set the user's account to "User must
>> change password at next
>> login", or if the domain policy expires passwords after so-many days,
>> the user cannot log into
>> the Linux workstations -- the display manager login dialog spins for
>> several minutes, then
>> shows, "Invalid password, please try again."
>> This is serious. How does a domain user change his own password?
> Using 'passwd' does work, but pam has to be setup correctly and you
> cannot change the password on the first day unless you change the
> minimum password age to '0'
> Changing the password at login has nothing to do with Samba (provided
> you can change it from the CLI, see above), it is down to your login
OK, I use Mate on debian wheezy and after a bit of testing, I have found
that you can change a users AD password with the gdm3 login manager.
More information about the samba