[Samba] Users cannot change their passwords

Jon Gerdes gerdesj at blueloop.net
Tue Sep 25 12:19:16 UTC 2018 

On Tue, 2018-09-25 at 12:08 +0100, Rowland Penny via samba wrote:
> On Tue, 25 Sep 2018 10:40:52 +0000
> Jon Gerdes via samba <samba at lists.samba.org> wrote:
> 
> > On Tue, 2018-09-25 at 09:59 +0100, Rowland Penny via samba wrote:
> > > On Tue, 25 Sep 2018 20:49:07 +1200
> > > Andrew Bartlett <abartlet at samba.org> wrote:
> > > 
> > > > On Tue, 2018-09-25 at 09:44 +0100, Rowland Penny via samba
> > > > wrote:
> > > > > On Mon, 24 Sep 2018 21:22:06 GMT
> > > > > "Torin Woltjer" <torin.woltjer at granddial.com> wrote:
> > > > > 
> > > > > > 
> > > > > > Thanks for the quick reply, I believe I am using MIT based
> > > > > > on
> > > > > > log
> > > > > > file names; but is there a better way to tell? I'm not very
> > > > > > knowledgeable about the distinction between MIT and Heimdal
> > > > > > regarding
> > > > > > KDC. Can you direct me to a resource that explains how to
> > > > > > make
> > > > > > the
> > > > > > switch as I am just using the  defaults in SUSE.
> > > > > > Additionally,
> > > > > > many of the domains experiencing this bug were working
> > > > > > fine;
> > > > > > before migrating them from Ubuntu 16.04. Is this because
> > > > > > the
> > > > > > bug
> > > > > > was introduced in a newer version that I am now using? Is
> > > > > > the
> > > > > > bug
> > > > > > fixed in a version newer than what I am using now?
> > > > > > 
> > > > > > Thanks again, I appreciate the help.
> > > > > > 
> > > > > > Torin Woltjer
> > > > > >  
> > > > > > Grand Dial Communications - A ZK Tech Inc. Company
> > > > > >  
> > > > > > 616.776.1066 ext. 2006
> > > > > > www.granddial.com
> > > > > > 
> > > > > > 
> > > > > 
> > > > > Took some finding, but I am now very sure that the opensuse
> > > > > Samba AD
> > > > > DC
> > > > > uses MIT instead of Heimdal, so this makes it inadvisable to
> > > > > use
> > > > > in
> > > > > production. There are just too many problems to make it
> > > > > usable,
> > > > > the
> > > > > password problem being one of them.
> > > > > 
> > > > > I am sorry, but, as far as I am aware, there is no RPM based
> > > > > distro
> > > > > that has production ready Samba packages, I also have a
> > > > > feeling
> > > > > that
> > > > > the Ubuntu packages now use MIT, so this really just leaves
> > > > > Debian
> > > > > etc.
> > > > 
> > > > I've not seen any indication that Ubuntu has changed to MIT
> > > > Kerberos,
> > > > thankfully.
> > > > 
> > > > Andrew Bartlett
> > > > 
> > > 
> > > I thought I had seen it somewhere, but I bow to your superior
> > > knowledge.
> > > 
> > > Rowland
> > > 
> > 
> > Following the advice here "Verifying if Samba Has Been Built with
> > MIT
> > Kerberos Support"  
> > 
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
> > 
> > ... in reverse:
> > 
> > $ cat /etc/os-release 
> > NAME="Ubuntu"
> > VERSION="18.04.1 LTS (Bionic Beaver)"
> > 
> > $ smbd -b | grep HAVE_LIBKADM5SRV_MIT
> > $ 
> > 
> > So, no MIT involved on Ubuntu
> > 
> > Cheers
> > Jon
> 
> Thanks for that.
> 
> So, it looks like 'RPM' = Experimental, 'DEB' = Production. Of course
> there is always 'Gentoo', but I suppose that distro falls into the
> 'compile it yourself' realm :-)
> 
> Rowland
> 

$ cat /etc/os-release 
NAME="Arch Linux"

$ smbd -b | grep HAVE_LIBKADM5SRV_MIT
$


$ cat /etc/os-release 
NAME=Gentoo

# smbd -b | grep HAVE_LIBKADM5SRV_MIT
   HAVE_LIBKADM5SRV_MIT

... but I set USE=system-mitkrb5 

Cheers
Jon

More information about the samba mailing list