[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work

Karel Lang AFD lang at afd.cz
Mon Sep 24 14:55:56 UTC 2018


Hello Andreas,

thank You for looking at it and asking :-)

To answer your specific question:

 > You create a new user and then run samba-tool with
 > --must-change-at-next-login on that user? Please be as precise as 
possible.

Answer is NO. I create user with the "--must-change-at-next-login" in 
'one go'. So i DO NOT create user as a step one and then modify him in 
step two.

Example of the user creation where i specify "--must-change-at-next-login":

samba-tool user create long --nis-domain=aufeerdesign 
--login-shell=/bin/bash --unix-home=/home/long --gid-number=1903 
--uid-number=8888 --must-change-at-next-login


The whole process of replication of problem:
- install Fedora 28
- install Samba:
yum install samba samba-dc samba-krb5-printing samba-pidl samba-test 
samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob 
oddjob-mkhomedir adcli

- DNS setting, IP address setting, turn off firewalld, turn off 
NetworkManager, tunr off SELinux

- provision of SAmba:
samba-tool domain provision --use-rfc2307 --interactive

- start samba and add group and user:
systemctl start samba.service

samba-tool group add --nis-domain=aufeerdesign --gid-number 1903 it

samba-tool user create long --nis-domain=aufeerdesign 
--login-shell=/bin/bash --unix-home=/home/long --gid-number=1903 
--uid-number=8888 --must-change-at-next-login



I see in logs:


%m.log
[2018/09/12 16:30:26.284142,  1] 
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
   /usr/sbin/krb5kdc: sam_account_ok: Account for user 
'long at AUFEERDESIGN' password must change!.


mit_kdc.log
Sep 12 16:31:14 ad01 krb5kdc[3180](info): AS_REQ (6 etypes {18 17 23 24 
-135 3}) 192.168.181.181: UNKNOWN_REASON: long at AUFEERDESIGN for 
kadmin/changepw at AUFEERDESIGN, Password has expired
Sep 12 16:31:14 ad01 krb5kdc[3180](info): closing down fd 19



-- 
*Karel Lang*
*Unix/Linux Administration*
lang at afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

On 09/17/2018 07:57 AM, Andreas Schneider via samba wrote:
> On Wednesday, 12 September 2018 18:13:16 CEST Andrew Bartlett wrote:
>> On Wed, 2018-09-12 at 17:16 +0200, Karel Lang AFD via samba wrote:
>>> Hello,
>>> if anybody would kindly have anything to advice, please, please - do
>>>
>>> :-)
>>>
>>> SETUP:
>>> Fedora 28 + Samba 4.8.5 AD  (testing environment consisting of 1
>>> Samba
>>> server and 1 joined windows machine and 1 account) :-)
>>>
>>> PROBLEM:
>>> the "--must-change-at-next-login" is the problematic part
>>>
>>> after creating user, with this attribute the user is authenticated
>>> OK
>>> during FIRST Logon BUT!! when challenged to CHANGE password (as
>>> expected) he/she can not change the pw as the DOMAIN stubbornly,
>>> repeatedly says: password is EXPIRED
> 
> Can you please describe the exact steps how this can be reproduced?
> 

> 
> 
> Thanks!
> 
> 



More information about the samba mailing list