[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
Karel Lang AFD
lang at afd.cz
Mon Sep 24 14:55:56 UTC 2018
Hello Andreas,
thank You for looking at it and asking :-)
To answer your specific question:
> You create a new user and then run samba-tool with
> --must-change-at-next-login on that user? Please be as precise as
possible.
Answer is NO. I create user with the "--must-change-at-next-login" in
'one go'. So i DO NOT create user as a step one and then modify him in
step two.
Example of the user creation where i specify "--must-change-at-next-login":
samba-tool user create long --nis-domain=aufeerdesign
--login-shell=/bin/bash --unix-home=/home/long --gid-number=1903
--uid-number=8888 --must-change-at-next-login
The whole process of replication of problem:
- install Fedora 28
- install Samba:
yum install samba samba-dc samba-krb5-printing samba-pidl samba-test
samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob
oddjob-mkhomedir adcli
- DNS setting, IP address setting, turn off firewalld, turn off
NetworkManager, tunr off SELinux
- provision of SAmba:
samba-tool domain provision --use-rfc2307 --interactive
- start samba and add group and user:
systemctl start samba.service
samba-tool group add --nis-domain=aufeerdesign --gid-number 1903 it
samba-tool user create long --nis-domain=aufeerdesign
--login-shell=/bin/bash --unix-home=/home/long --gid-number=1903
--uid-number=8888 --must-change-at-next-login
I see in logs:
%m.log
[2018/09/12 16:30:26.284142, 1]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/krb5kdc: sam_account_ok: Account for user
'long at AUFEERDESIGN' password must change!.
mit_kdc.log
Sep 12 16:31:14 ad01 krb5kdc[3180](info): AS_REQ (6 etypes {18 17 23 24
-135 3}) 192.168.181.181: UNKNOWN_REASON: long at AUFEERDESIGN for
kadmin/changepw at AUFEERDESIGN, Password has expired
Sep 12 16:31:14 ad01 krb5kdc[3180](info): closing down fd 19
--
*Karel Lang*
*Unix/Linux Administration*
lang at afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
On 09/17/2018 07:57 AM, Andreas Schneider via samba wrote:
> On Wednesday, 12 September 2018 18:13:16 CEST Andrew Bartlett wrote:
>> On Wed, 2018-09-12 at 17:16 +0200, Karel Lang AFD via samba wrote:
>>> Hello,
>>> if anybody would kindly have anything to advice, please, please - do
>>>
>>> :-)
>>>
>>> SETUP:
>>> Fedora 28 + Samba 4.8.5 AD (testing environment consisting of 1
>>> Samba
>>> server and 1 joined windows machine and 1 account) :-)
>>>
>>> PROBLEM:
>>> the "--must-change-at-next-login" is the problematic part
>>>
>>> after creating user, with this attribute the user is authenticated
>>> OK
>>> during FIRST Logon BUT!! when challenged to CHANGE password (as
>>> expected) he/she can not change the pw as the DOMAIN stubbornly,
>>> repeatedly says: password is EXPIRED
>
> Can you please describe the exact steps how this can be reproduced?
>
>
>
> Thanks!
>
>
More information about the samba
mailing list