[Samba] Change Password after expired

Charles-Henri Falconnet charles-henri.falconnet at univ-fcomte.fr
Wed May 11 15:42:59 UTC 2016 

Hello,

Yes I can change password at next logon. I check in ADUC and the option 
of the account has been unticked. My users can retrieve a new password 
by themselves.
I'll try password expiry in 2 days.

Charles

Le 11/05/2016 17:10, Carlos A. P. Cunha a écrit :
> Hello!
> You can now change the password for the User when even this expired 
> password or "next logon"?
> PS: With the active account, was already working the password change.
> Hug.
>
>
> Em 11-05-2016 07:17, Charles-Henri Falconnet escreveu:
>> It works now for all my web apps !
>> If you have a AC.pem, juste rename in AC.crt (update-ca-certificates 
>> recognizes only crt files, man update-ca-certificates)
>> Thank you Louis.
>>
>> Le 11/05/2016 10:45, L.P.H. van Belle a écrit :
>>> I dont know LTB or what it exact is, but
>>>
>>> Add in /etc/ldap/ldap.conf
>>> TLS_REQCERT allow
>>>
>>> Setup your own "rootCA" like this.
>>> ( if not done, apt-get install ca-certificates )
>>>
>>> mkdir -p /usr/local/share/ca-certificates/chrono
>>> mv /etc/ssl/ca_chrono-dom.lan.pem 
>>> /usr/local/share/ca-certificates/chrono
>>> update-ca-certificates
>>>
>>> ! MUST BE /usr/local/share/ca-certificates else its not picked up 
>>> with the
>>> update-ca-certificates command.
>>>
>>> you should see:
>>> update-ca-certificates
>>> Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
>>> Running hooks in /etc/ca-certificates/update.d....done.
>>>
>>> And correct this back :
>>> TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
>>>
>>> Now after done above your CA Cert is hashed in /etc/ssl/certs
>>> And its added in /etc/ssl/certs/ca-certificates.crt
>>>
>>> Do this and try again and let us know the result.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Charles-Henri
>>>> Falconnet
>>>> Verzonden: woensdag 11 mei 2016 10:03
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Change Password after expired
>>>>
>>>> Hi list,
>>>>
>>>> Same wish here!
>>>> I'd like my users to change their password using LTB (great tool) but
>>>> since 4.2.10 (debian jessie) I lost the connection to samba4.
>>>> I tried using TLS and port 636 in LTB's config.inc.php with a 
>>>> dedicated
>>>> user and put the self signed AC from private/tls but it didn't work.
>>>> Before the upgrade, i was on samba 4.1.17 (debian jessie) and simple
>>>> bind on port 389 for LTB and it worked great.
>>>> I read https://www.samba.org/samba/history/samba-4.2.10.html and 
>>>> the apt
>>>> listchanges of Andrew Bartlett
>>>>
>>>> I'm stuck since the upgrade. I tried to change the new parameters to
>>>> downgrade security but it didn't work (and i don't want less 
>>>> security).
>>>> The active directory works, users can authenticate and access a 
>>>> separate
>>>> member files server.
>>>>
>>>> My smb.conf
>>>>
>>>> [global]
>>>>           workgroup = CHRONO-DOM
>>>>           realm = CHRONO-DOM.LAN
>>>>           netbios name = DMZ-PVE-SRV9
>>>>           server role = active directory domain controller
>>>>           dns forwarder = xxx.xxx.xxx.xxx
>>>>           idmap_ldb:use rfc2307 = yes
>>>>           load printers = no
>>>>           printing = bsd
>>>>           printcap name = /dev/null
>>>>           disable spoolss = yes
>>>>           idmap config * : backend = tdb
>>>>           idmap config * : range = 2000-2999
>>>>           idmap config CHRONO-DOM : backend = ad
>>>>           idmap config CHRONO-DOM : range = 10000-29999
>>>>           winbind nss info = rfc2307
>>>>           winbind enum users = yes
>>>>           winbind enum groups = yes
>>>>           acl map full control = yes
>>>>           syslog = 0
>>>>           log level = 7 auth:10 winbind:10
>>>>           tls verify peer = ca_only
>>>>
>>>> [netlogon]
>>>>           path = /var/lib/samba/sysvol/chrono-dom.lan/scripts
>>>>           read only = No
>>>>
>>>> [sysvol]
>>>>           path = /var/lib/samba/sysvol
>>>>           read only = No
>>>>
>>>> On the LAMP server with LTB Self Service Password and other web apps i
>>>> configure the ldap.conf with
>>>> TLS_CACERT     /etc/ssl/ca_chrono-dom.lan.pem
>>>> TLS_REQCERT    never
>>>> and the read mode bit for other
>>>>
>>>> With openssl s_client -showcerts -connect 
>>>> dmz-pve-srv9.chrono-dom.lan:636
>>>> or openssl s_client -CAfile <path to the self signed CA> -showcerts
>>>> -connect dmz-pve-srv9.chrono-dom.lan:636
>>>> returns Verify return code: 18 (self signed certificate) but i don't
>>>> think that can be a problem.
>>>>
>>>> I appreciate some help.
>>>>
>>>> Charles
>>>>
>>>>
>>>> Le 10/05/2016 21:41, Rowland penny a écrit :
>>>>> On 10/05/16 20:11, Carlos A. P. Cunha wrote:
>>>>>> In some customer yes, but they are with LTSP (pxe boot) where 
>>>>>> another
>>>>>> use graphical interface, but would rather have a web interface to
>>>>>> change the password.
>>>>>> This tambpem would be used for windows stations off the field.
>>>>>>
>>>>>>
>>>>>>
>>>>> What is wrong with the 'LTB Self Service Password' program ??
>>>>>
>>>>> Did you configure 'config.inc.php' correctly ?
>>>>>
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>>
>

More information about the samba mailing list