[Samba] Changing expired Samba AD password during Windows login

Wed Jan 31 19:24:38 UTC 2018

Waiting Ubuntu 18.04. No extra compiling for MIT Kerberos need.

There are all dependencies you need:

# apt-get install acl attr autoconf bind9utils bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls28-dev libgpgme-dev libjson-perl libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev nettle-dev perl perl-modules-5.26 pkg-config python-all-dev python-crypto python-dbg python-dev python-dnspython python3-dnspython python-gpg python3-gpg python-markdown python3-markdown python3-dev xsltproc zlib1g-dev libkrb5-dev krb5-kdc

Am 31. Januar 2018 18:23:56 MEZ schrieb Ken McDonald via samba <samba at lists.samba.org>:
>I went back and re-installed on a clean VM of Ubuntu Server 16.04.3 and
>
>built Samba 4.7.4 with default configuration and it works just fine to 
>change expired passwords at login. I should have tested this default 
>configuration a while back.
>
>I was trying to use MIT Kerberos instead of Hemidal and had followed
>all 
>the directions on this link:
>
>https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
>
>In order to make all the builds work for MIT Kerberos and Samba 4.7.4
>on 
>Ubuntu Server 16.04.3, I had to install a lot of other related 
>dependencies and customize install paths, etc. There must be something 
>incorrect with my config that is causing the expired password problem.
>
>As I understand it, using MIT Kerberos instead of Heimdal is the 
>preferred way of implementing a Samba AD to ensure the widest level of 
>compatibility with the overall Windows Server ecosphere? Yes?
>
>
>
>On 01/29/2018 01:52 PM, Kacper Wirski via samba wrote:
>> I can only share my experience:
>>
>> domain with only samba DC's (started from samba 4.4 updated to 4.7 in
>
>> the meantime), windows clients (vista, 7, 8.1 and 10) no problem 
>> whatsoever, passwords are changed every X days, and users have no 
>> problem with the procedure (prompt "your password has expired" ->
>user 
>> enters new password -> "you password was changed" -> OK) and that's
>it.
>>
>> Only samba-tool was used to enforce password policy, I didn't need to
>
>> set anything in GPO in order to make it work.
>>
>> Only thing that is coming to my mind is maybe an issue with kerberos?
>
>> I know for a fact, that windows since august 2016 requires kerberos
>to 
>> change expired password. Other than this I'm sorry.
>>
>>
>> W dniu 29.01.2018 o 13:49, Ken McDonald via samba pisze:
>>> Ok, so I tried all the suggestions without success.
>>>
>>> Unless I hear back from someone saying it is NOT possible for a user
>
>>> to change an expired password during login from a Domain account on
>a 
>>> Samba 4.7.4 AD domain (only 1 DC, and I also tried latest dev 
>>> release), then I will proceed with more in-depth troubleshooting,
>log 
>>> file debugging, and mock-up VM's in order to determine what is 
>>> happening.
>>>
>>> Effectively for me, Samba AD is unusable unless users can change an 
>>> expired password during login like they can when running on a pure 
>>> Windows Server AD domain.
>>>
>>> Thanks for everyone (anyone?) and their assistance!
>>>
>>
>>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.