[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
Karel Lang AFD
lang at afd.cz
Wed Sep 12 15:16:39 UTC 2018
Hello,
if anybody would kindly have anything to advice, please, please - do :-)
SETUP:
Fedora 28 + Samba 4.8.5 AD (testing environment consisting of 1 Samba
server and 1 joined windows machine and 1 account) :-)
PROBLEM:
the "--must-change-at-next-login" is the problematic part
after creating user, with this attribute the user is authenticated OK
during FIRST Logon BUT!! when challenged to CHANGE password (as
expected) he/she can not change the pw as the DOMAIN stubbornly,
repeatedly says: password is EXPIRED
Replication of problem:
- install Fedora 28
- install Samba:
yum install samba samba-dc samba-krb5-printing samba-pidl samba-test
samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob
oddjob-mkhomedir adcli
- DNS setting, IP address setting, turn off firewalld, turn off
NetworkManager, tunr off SELinux
- provision of SAmba:
samba-tool domain provision --use-rfc2307 --interactive
- start samba and add group and user:
systemctl start samba.service
samba-tool group add --nis-domain=aufeerdesign --gid-number 1903 it
samba-tool user create long --nis-domain=aufeerdesign
--login-shell=/bin/bash --unix-home=/home/long --gid-number=1903
--uid-number=8888 --must-change-at-next-login
I see in logs:
%m.log
[2018/09/12 16:30:26.284142, 1]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/krb5kdc: sam_account_ok: Account for user
'long at AUFEERDESIGN' password must change!.
mit_kdc.log
Sep 12 16:31:14 ad01 krb5kdc[3180](info): AS_REQ (6 etypes {18 17 23 24
-135 3}) 192.168.181.181: UNKNOWN_REASON: long at AUFEERDESIGN for
kadmin/changepw at AUFEERDESIGN, Password has expired
Sep 12 16:31:14 ad01 krb5kdc[3180](info): closing down fd 19
Thank You
--
*Karel Lang*
*Unix/Linux Administration*
lang at afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
More information about the samba
mailing list