[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
Rowland Penny
rpenny at samba.org
Wed Sep 12 15:57:01 UTC 2018
On Wed, 12 Sep 2018 17:16:39 +0200
Karel Lang AFD via samba <samba at lists.samba.org> wrote:
> Hello,
> if anybody would kindly have anything to advice, please, please -
> do :-)
>
>
> SETUP:
> Fedora 28 + Samba 4.8.5 AD (testing environment consisting of 1
> Samba server and 1 joined windows machine and 1 account) :-)
>
> PROBLEM:
> the "--must-change-at-next-login" is the problematic part
>
> after creating user, with this attribute the user is authenticated OK
> during FIRST Logon BUT!! when challenged to CHANGE password (as
> expected) he/she can not change the pw as the DOMAIN stubbornly,
> repeatedly says: password is EXPIRED
>
>
> Replication of problem:
> - install Fedora 28
> - install Samba:
> yum install samba samba-dc samba-krb5-printing samba-pidl samba-test
> samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob
> oddjob-mkhomedir adcli
>
> - DNS setting, IP address setting, turn off firewalld, turn off
> NetworkManager, tunr off SELinux
>
> - provision of SAmba:
> samba-tool domain provision --use-rfc2307 --interactive
>
> - start samba and add group and user:
> systemctl start samba.service
>
This would be using MIT for the KDC, is this correct ?
If it is, then running A DC on red-hat using the OS packages (i.e. with
MIT) is still considered experimental, there are still bits that do
not work, as you seem to have found out.
By all means use red-hat Samba packages for Unix domain members, or for
testing a DC, just don't use them for a DC in production.
Sorry ;-)
Rowland
More information about the samba
mailing list