[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work

Karel Lang AFD lang at afd.cz
Wed Sep 12 17:18:14 UTC 2018


Hello Andrew,

thanks for the kind information :-)

Yes, the bug seams to be it, or at least something very similar.
I tried to 'play' with domain password policies - expiration dates and 
such and i think:

1. the behaviour of expired password, where user can not change it - it 
is the expected behaviour on windows domain - please correct me if i am 
wrong?
2. i observed that the "--must-change-at-next-login" set somewhere the 
same attribute (expired password), just like when the password really 
expired - this is (i think not expected?) there should be different bit 
set for this parameter? Because if it is expired == not possible to 
change it, right?
But i'm no dev, so .. my 2c :-)

Anyway, i'll try to rebuild it with the H. kerberos as you suggested and 
see.


-- 
*Karel Lang*
*Unix/Linux Administration*
lang at afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

On 09/12/2018 06:13 PM, Andrew Bartlett via samba wrote:
> On Wed, 2018-09-12 at 17:16 +0200, Karel Lang AFD via samba wrote:
>> Hello,
>> if anybody would kindly have anything to advice, please, please - do
>> :-)
>>
>>
>> SETUP:
>> Fedora 28 + Samba 4.8.5 AD  (testing environment consisting of 1
>> Samba
>> server and 1 joined windows machine and 1 account) :-)
>>
>> PROBLEM:
>> the "--must-change-at-next-login" is the problematic part
>>
>> after creating user, with this attribute the user is authenticated
>> OK
>> during FIRST Logon BUT!! when challenged to CHANGE password (as
>> expected) he/she can not change the pw as the DOMAIN stubbornly,
>> repeatedly says: password is EXPIRED
>>
> 
> This looks like:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=13517
> 
> To confirm that, can you rebuild the RPMs to use the internal Heimdal
> and see if it still reproduces?
> 
> I've CC'ed Andreas who leads the effort to have Samba use the MIT KDC
> in case he has any more input.
> 
> Thanks,
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
> 
> 
> 
> 



More information about the samba mailing list