[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work

Karel Lang AFD lang at afd.cz
Wed Sep 12 17:06:44 UTC 2018


Hi Rowland,
Thanks for the informations.
Yes, the Fedora Samba 4 package is built with MIT kerberos.
I know it is still 'fresh' so that is what i do - run tests :-).
Actually this thing with password expiration, is only thing i found so 
far, otherwise, it 'behaved' surprisingly well.

Thanks again!
Karel


-- 
*Karel Lang*
*Unix/Linux Administration*
lang at afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

On 09/12/2018 05:57 PM, Rowland Penny via samba wrote:
> On Wed, 12 Sep 2018 17:16:39 +0200
> Karel Lang AFD via samba <samba at lists.samba.org> wrote:
> 
>> Hello,
>> if anybody would kindly have anything to advice, please, please -
>> do :-)
>>
>>
>> SETUP:
>> Fedora 28 + Samba 4.8.5 AD  (testing environment consisting of 1
>> Samba server and 1 joined windows machine and 1 account) :-)
>>
>> PROBLEM:
>> the "--must-change-at-next-login" is the problematic part
>>
>> after creating user, with this attribute the user is authenticated OK
>> during FIRST Logon BUT!! when challenged to CHANGE password (as
>> expected) he/she can not change the pw as the DOMAIN stubbornly,
>> repeatedly says: password is EXPIRED
>>
>>
>> Replication of problem:
>> - install Fedora 28
>> - install Samba:
>> yum install samba samba-dc samba-krb5-printing samba-pidl samba-test
>> samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob
>> oddjob-mkhomedir adcli
>>
>> - DNS setting, IP address setting, turn off firewalld, turn off
>> NetworkManager, tunr off SELinux
>>
>> - provision of SAmba:
>> samba-tool domain provision --use-rfc2307 --interactive
>>
>> - start samba and add group and user:
>> systemctl start samba.service
>>
> 
> This would be using MIT for the KDC, is this correct ?
> If it is, then running A DC on red-hat using the OS packages (i.e. with
> MIT) is still considered  experimental, there are still bits that do
> not work, as you seem to have found out.
> 
> By all means use red-hat Samba packages for Unix domain members, or for
> testing a DC, just don't use them for a DC in production.
> 
> Sorry ;-)
> 
> Rowland
> 



More information about the samba mailing list