[Samba] Changing expired Samba AD password during Windows login
Ken McDonald
ken at generation.tech
Wed Jan 31 17:23:56 UTC 2018
I went back and re-installed on a clean VM of Ubuntu Server 16.04.3 and
built Samba 4.7.4 with default configuration and it works just fine to
change expired passwords at login. I should have tested this default
configuration a while back.
I was trying to use MIT Kerberos instead of Hemidal and had followed all
the directions on this link:
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
In order to make all the builds work for MIT Kerberos and Samba 4.7.4 on
Ubuntu Server 16.04.3, I had to install a lot of other related
dependencies and customize install paths, etc. There must be something
incorrect with my config that is causing the expired password problem.
As I understand it, using MIT Kerberos instead of Heimdal is the
preferred way of implementing a Samba AD to ensure the widest level of
compatibility with the overall Windows Server ecosphere? Yes?
On 01/29/2018 01:52 PM, Kacper Wirski via samba wrote:
> I can only share my experience:
>
> domain with only samba DC's (started from samba 4.4 updated to 4.7 in
> the meantime), windows clients (vista, 7, 8.1 and 10) no problem
> whatsoever, passwords are changed every X days, and users have no
> problem with the procedure (prompt "your password has expired" -> user
> enters new password -> "you password was changed" -> OK) and that's it.
>
> Only samba-tool was used to enforce password policy, I didn't need to
> set anything in GPO in order to make it work.
>
> Only thing that is coming to my mind is maybe an issue with kerberos?
> I know for a fact, that windows since august 2016 requires kerberos to
> change expired password. Other than this I'm sorry.
>
>
> W dniu 29.01.2018 o 13:49, Ken McDonald via samba pisze:
>> Ok, so I tried all the suggestions without success.
>>
>> Unless I hear back from someone saying it is NOT possible for a user
>> to change an expired password during login from a Domain account on a
>> Samba 4.7.4 AD domain (only 1 DC, and I also tried latest dev
>> release), then I will proceed with more in-depth troubleshooting, log
>> file debugging, and mock-up VM's in order to determine what is
>> happening.
>>
>> Effectively for me, Samba AD is unusable unless users can change an
>> expired password during login like they can when running on a pure
>> Windows Server AD domain.
>>
>> Thanks for everyone (anyone?) and their assistance!
>>
>
>
More information about the samba
mailing list