[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work

Karel Lang AFD lang at afd.cz
Mon Sep 24 14:55:56 UTC 2018

Hello Andreas,

thank You for looking at it and asking :-)

To answer your specific question:

 > You create a new user and then run samba-tool with
 > --must-change-at-next-login on that user? Please be as precise as 

Answer is NO. I create user with the "--must-change-at-next-login" in 
'one go'. So i DO NOT create user as a step one and then modify him in 
step two.

Example of the user creation where i specify "--must-change-at-next-login":

samba-tool user create long --nis-domain=aufeerdesign 
--login-shell=/bin/bash --unix-home=/home/long --gid-number=1903 
--uid-number=8888 --must-change-at-next-login

The whole process of replication of problem:
- install Fedora 28
- install Samba:
yum install samba samba-dc samba-krb5-printing samba-pidl samba-test 
samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob 
oddjob-mkhomedir adcli

- DNS setting, IP address setting, turn off firewalld, turn off 
NetworkManager, tunr off SELinux

- provision of SAmba:
samba-tool domain provision --use-rfc2307 --interactive

- start samba and add group and user:
systemctl start samba.service

samba-tool group add --nis-domain=aufeerdesign --gid-number 1903 it

samba-tool user create long --nis-domain=aufeerdesign 
--login-shell=/bin/bash --unix-home=/home/long --gid-number=1903 
--uid-number=8888 --must-change-at-next-login

I see in logs:

[2018/09/12 16:30:26.284142,  1] 
   /usr/sbin/krb5kdc: sam_account_ok: Account for user 
'long at AUFEERDESIGN' password must change!.

Sep 12 16:31:14 ad01 krb5kdc[3180](info): AS_REQ (6 etypes {18 17 23 24 
-135 3}) UNKNOWN_REASON: long at AUFEERDESIGN for 
kadmin/changepw at AUFEERDESIGN, Password has expired
Sep 12 16:31:14 ad01 krb5kdc[3180](info): closing down fd 19

*Karel Lang*
*Unix/Linux Administration*
lang at afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

On 09/17/2018 07:57 AM, Andreas Schneider via samba wrote:
> On Wednesday, 12 September 2018 18:13:16 CEST Andrew Bartlett wrote:
>> On Wed, 2018-09-12 at 17:16 +0200, Karel Lang AFD via samba wrote:
>>> Hello,
>>> if anybody would kindly have anything to advice, please, please - do
>>> :-)
>>> SETUP:
>>> Fedora 28 + Samba 4.8.5 AD  (testing environment consisting of 1
>>> Samba
>>> server and 1 joined windows machine and 1 account) :-)
>>> the "--must-change-at-next-login" is the problematic part
>>> after creating user, with this attribute the user is authenticated
>>> OK
>>> during FIRST Logon BUT!! when challenged to CHANGE password (as
>>> expected) he/she can not change the pw as the DOMAIN stubbornly,
>>> repeatedly says: password is EXPIRED
> Can you please describe the exact steps how this can be reproduced?

> Thanks!

More information about the samba mailing list