[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work

Karel Lang AFD lang at afd.cz
Wed Sep 12 15:16:39 UTC 2018

if anybody would kindly have anything to advice, please, please - do :-)

Fedora 28 + Samba 4.8.5 AD  (testing environment consisting of 1 Samba 
server and 1 joined windows machine and 1 account) :-)

the "--must-change-at-next-login" is the problematic part

after creating user, with this attribute the user is authenticated OK 
during FIRST Logon BUT!! when challenged to CHANGE password (as 
expected) he/she can not change the pw as the DOMAIN stubbornly, 
repeatedly says: password is EXPIRED

Replication of problem:
- install Fedora 28
- install Samba:
yum install samba samba-dc samba-krb5-printing samba-pidl samba-test 
samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob 
oddjob-mkhomedir adcli

- DNS setting, IP address setting, turn off firewalld, turn off 
NetworkManager, tunr off SELinux

- provision of SAmba:
samba-tool domain provision --use-rfc2307 --interactive

- start samba and add group and user:
systemctl start samba.service

samba-tool group add --nis-domain=aufeerdesign --gid-number 1903 it

samba-tool user create long --nis-domain=aufeerdesign 
--login-shell=/bin/bash --unix-home=/home/long --gid-number=1903 
--uid-number=8888 --must-change-at-next-login

I see in logs:

[2018/09/12 16:30:26.284142,  1] 
   /usr/sbin/krb5kdc: sam_account_ok: Account for user 
'long at AUFEERDESIGN' password must change!.

Sep 12 16:31:14 ad01 krb5kdc[3180](info): AS_REQ (6 etypes {18 17 23 24 
-135 3}) UNKNOWN_REASON: long at AUFEERDESIGN for 
kadmin/changepw at AUFEERDESIGN, Password has expired
Sep 12 16:31:14 ad01 krb5kdc[3180](info): closing down fd 19

Thank You

*Karel Lang*
*Unix/Linux Administration*
lang at afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

More information about the samba mailing list