[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
Rowland penny
rpenny at samba.org
Fri Jan 15 10:28:14 UTC 2016
On 15/01/16 05:21, Mark Foley wrote:
> You answer piles of questions on this list, so you may not remember,
> but you helped me set this whole domain-member/single logon thing last
> October. The only thing you had me change with the as-installed PAM
> configuration was to add to /etc/pam.d/common-account: session
> required pam_mkhomedir.so skel=/etc/skel/ umask=0002 I also found I
> needed to change a line in /etc/pam.d/common-password to: password
> [success=3 default=ignore] pam_krb5.so minimum_uid=10000 (instead of
> minimum_uid=1000) in order to have my non-domain local users be able
> to change their passwords using passwd. If there is a PAM file I can
> post to verify it's correctness, I'd be happy to do that.
You are right, I don't remember :-)
Also good catch with the pam_krb5 line change, this is something I
wasn't aware of, it has other repercussions, if you want to create a
local user and don't specify a uid, it will get a uid in the '10000'
range, not a good idea.
>> OK, I use Mate on debian wheezy and after a bit of testing, I have found
>> that you can change a users AD password with the gdm3 login manager.
> I will investigate gmd3 and post back results. I am using Cinnamon on Ubuntu 15.10, but I
> suppose it should work.
It works on Debian wheezy with Mate, I have these pam packages installed:
libpam-winbind libpam-krb5 libnss-winbind
With these, I have 'passwd' changing AD passwords (I wrote a YAD script
for this) and using gdm3, when a user tries to login with an expired
password, they are asked to change it.
I have also set the minimum password age to '0'
Rowland
>
> Thanks for your response!
>
> --Mark
>
> -----Original Message-----
>> To: samba at lists.samba.org
>> From: Rowland penny <rpenny at samba.org>
>> Date: Thu, 14 Jan 2016 12:16:22 +0000
>> Subject: Re: [Samba] Samba AD/DC, Single-Sign-On,
>>
>> On 14/01/16 09:36, Rowland penny wrote:
>>> On 14/01/16 05:54, Mark Foley wrote:
>>>> Hmmm, this message is a week old and nothing?
>>>>
>>>> I know many of you have domain member hosts in your domain and surely
>>>> are logging in as domain
>>>> users authenticating with the Samba4 AD/DC, right?
>>>>
>>>> How do you change your password without having the domain
>>>> Administrator do it for you?
>>>>
>>>> --Mark
>>>>
>>>> -----Original Message-----
>>>> From: Mark Foley <mfoley at ohprs.org>
>>>> Date: Fri, 08 Jan 2016 12:10:16 -0500
>>>> To: samba at lists.samba.org
>>>> Subject: [Samba] Samba AD/DC, Single-Sign-On,
>>>> domain users cannot change password
>>>>
>>>> I have successfully joined my Linux/Ubuntu workstation to the Samaba
>>>> AD/DC domain thanks to
>>>> help from Rowland Penny.
>>>>
>>>> Now I face an interesting problem ... Domain users cannot change
>>>> their password.
>>>>
>>>> Domain users can successfully login to the Linux workstation using
>>>> their domain credentials,
>>>> but when the user tries to change the password using "Passwords and
>>>> Keys" from the desktop
>>>> utility, it does nothing.
>>>>
>>>> Trying to change the password from a terminal session using `passwd`
>>>> gives the prompt: "Current
>>>> Kerberos password:" but entering the current domain password is not
>>>> accepted and the prompt repeats.
>>>>
>>>> If the Domain Administrator set the user's account to "User must
>>>> change password at next
>>>> login", or if the domain policy expires passwords after so-many days,
>>>> the user cannot log into
>>>> the Linux workstations -- the display manager login dialog spins for
>>>> several minutes, then
>>>> shows, "Invalid password, please try again."
>>>>
>>>> This is serious. How does a domain user change his own password?
>>>>
>>>> HELP!
>>>>
>>>> --Mark
>>>>
>>> Using 'passwd' does work, but pam has to be setup correctly and you
>>> cannot change the password on the first day unless you change the
>>> minimum password age to '0'
>>>
>>> Changing the password at login has nothing to do with Samba (provided
>>> you can change it from the CLI, see above), it is down to your login
>>> manager.
>>>
>>> Rowland
>>>
>>>
>> OK, I use Mate on debian wheezy and after a bit of testing, I have found
>> that you can change a users AD password with the gdm3 login manager.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
More information about the samba
mailing list