[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
Karel Lang AFD
lang at afd.cz
Wed Sep 12 17:18:14 UTC 2018
Hello Andrew,
thanks for the kind information :-)
Yes, the bug seams to be it, or at least something very similar.
I tried to 'play' with domain password policies - expiration dates and
such and i think:
1. the behaviour of expired password, where user can not change it - it
is the expected behaviour on windows domain - please correct me if i am
wrong?
2. i observed that the "--must-change-at-next-login" set somewhere the
same attribute (expired password), just like when the password really
expired - this is (i think not expected?) there should be different bit
set for this parameter? Because if it is expired == not possible to
change it, right?
But i'm no dev, so .. my 2c :-)
Anyway, i'll try to rebuild it with the H. kerberos as you suggested and
see.
--
*Karel Lang*
*Unix/Linux Administration*
lang at afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
On 09/12/2018 06:13 PM, Andrew Bartlett via samba wrote:
> On Wed, 2018-09-12 at 17:16 +0200, Karel Lang AFD via samba wrote:
>> Hello,
>> if anybody would kindly have anything to advice, please, please - do
>> :-)
>>
>>
>> SETUP:
>> Fedora 28 + Samba 4.8.5 AD (testing environment consisting of 1
>> Samba
>> server and 1 joined windows machine and 1 account) :-)
>>
>> PROBLEM:
>> the "--must-change-at-next-login" is the problematic part
>>
>> after creating user, with this attribute the user is authenticated
>> OK
>> during FIRST Logon BUT!! when challenged to CHANGE password (as
>> expected) he/she can not change the pw as the DOMAIN stubbornly,
>> repeatedly says: password is EXPIRED
>>
>
> This looks like:
>
> https://bugzilla.samba.org/show_bug.cgi?id=13517
>
> To confirm that, can you rebuild the RPMs to use the internal Heimdal
> and see if it still reproduces?
>
> I've CC'ed Andreas who leads the effort to have Samba use the MIT KDC
> in case he has any more input.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
>
>
>
>
More information about the samba
mailing list