[Samba] Winbind - Login succeeds while password is expired (set with --must-change-at-next-login)

Rowland penny rpenny at samba.org
Sun Jun 6 10:09:49 UTC 2021 

On 06/06/2021 10:57, Kees van Vloten wrote:
> On 22-04-2021 23:36, Rowland penny via samba wrote:
>> On 22/04/2021 21:45, Kees van Vloten wrote:
>>> On 22-04-2021 22:31, Rowland penny via samba wrote:
>>>> On 22/04/2021 21:11, Kees van Vloten via samba wrote:
>>>>> Hi,
>>>>>
>>>>> I have freshly setup 2 lxc containers with Samba 4.13 on Debian 
>>>>> Buster (installed from apt.van-belle.nl/debian).
>>>>> The first runs samba-ad-dc, the second has samba + winbind and has 
>>>>> joined the AD domain.
>>>>>
>>>>> A domain user is created with samba-tool with the option 
>>>>> --must-change-at-next-login. A login with the user succeeds the 
>>>>> first time some interesting output:
>>>>>
>>>>> kvv at bach:~$ ssh grieg
>>>>> kvv at grieg's password:
>>>>> Password expired.  You must change it now.
>>>>> Password change rejected: Try a more complex password, or contact 
>>>>> your administrator..  Please try again.
>>>>>
>>>>> Password change rejected: Try a more complex password, or contact 
>>>>> your administrator..  Please try again.
>>>>>
>>>>> Your password has expired
>>>>> Linux grieg 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) 
>>>>> x86_64
>>>>
>>>>
>>>> I think you have run into this bug:
>>>>
>>>> https://bugzilla.samba.org/show_bug.cgi?id=14622
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>> Hi Rowland,
>>>
>>> I am not sure that bug is applicable since I have no ssh-keys 
>>> configured on the user.
>>>
>>> The bug says that scenario does work with SSSD, I have actually 
>>> tried SSSD before winbind. SSSD is different, it does present a 
>>> change password sequence let's me change it (it does get changed in 
>>> AD as well) but at the next login it wants me to change it again and 
>>> it continues to do so, i.e. I cannot login.
>>>
>>> -- 
>>> Kees van Vloten
>>>
>>
>> I was really referring to the fact that winbind and PAM do not really 
>> work for anything but authentication (you can login via ssh with a 
>> disabled user) and, as far as I am aware, you cannot change a users 
>> password via winbind. I just don't think there is the code to do what 
>> you are trying, but I am very willing to be proved wrong.
>>
>> Rowland
>>
>>
> Ho Rowland,
>
> Another option is using sssd, but sssd has a number of issues with 
> samba-addc, i.e. not the best alternative :-(


No, you cannot use sssd on a DC, its winbind based components interfere 
with the Winbind that the DC uses.

>
> Would it be feasible to use winbind for nss and sssd for pam?


No

> That would avoid the issues with sssd (computerpw update, idmapping 
> etc) and I also avoid the issues with pam-winbind described above.


You could try using nslcd, this uses pam and ldap.

Rowland

More information about the samba mailing list