[Samba] Changing expired Samba AD password during Windows login

Thu Feb 1 12:28:50 UTC 2018

Ah, I see now. I went back and re-read the Samba wiki on MIT Kerberos 
with your comments in mind

https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

"For this reason, vendors of operating systems that only support MIT 
Kerberos could not provide packages with AD DC-capabilities"

So I now understand this does not mean other Windows Server OS's or 
Windows OS AD-specific server applications or 3rd-party Windows 
software. It means Linux OS's running Samba itself and their ability to 
provide Samba-compatible Kerberos support.

Great! Thanks for clarifying it. I will just proceed with my plans based 
on Heimdal only. I will be moving several of my customer's MS Server 
2008 AD DC's domains/PCs/users to Linux based Samba DC's instead of 
paying license fees to upgrade their MS Windows OS's.

Much appreciate everyone's help along the way with answers towards my 
solution.

On 02/01/2018 03:55 AM, Rowland Penny via samba wrote:
> On Wed, 31 Jan 2018 19:01:42 -0500
> Ken McDonald via samba <samba at lists.samba.org> wrote:
>
>> On another clean install (with all updates) of Ubuntu Server 16.04.3,
>> trying your line of dependencies fails:
>>
>> Package libgpgme-dev is not available, but is referred to by another
>> package.
>> This may mean that the package is missing, has been obsoleted, or
>> is only available from another source
>>
>> E: Package 'libgpgme-dev' has no installation candidate
>> E: Unable to locate package perl-modules-5.26
>> E: Couldn't find any package by glob 'perl-modules-5.26'
>> E: Couldn't find any package by regex 'perl-modules-5.26'
>> E: Unable to locate package python-gpg
>> E: Unable to locate package python3-gpg
>>
>> Regardless, using plain apt-get on that version of Ubuntu results in
>>
>> krb5-kdc (1.13.2+dfsg-5ubuntu2 Ubuntu:16.04/xenial-updates [amd64])
>>
>> libkrb5-dev (1.13.2+dfsg-5ubuntu2 Ubuntu:16.04/xenial-updates [amd64])
>>
>> When the Samba install/build docs state that version "MIT Kerberos
>> 1.15.1 or later" is required. I couldn't figure out how to install
>> that version on Ubuntu 16.04.3 without just downloading the krb5
>> sources and compiling myself. Doing that required a lot of other
>> tweaking to get all the krb5 dependencies and install directories
>> "correct" to complete the build and have a subsequent Samba 4.7.4
>> build actually find a functioning krb5
>>
>>
> Samba by default uses Heimdal, you do not need to use MIT.
> The ability to use MIT was added to allow red-hat distros to finally
> have AD DC packages and is still being worked on.
> On distros other than red-hat ones, you should continue to use the
> Samba supplied Heimdal kdc.
>
> Rowland
>
>