[Samba] Winbind - Login succeeds while password is expired (set with --must-change-at-next-login)
Andrew Bartlett
abartlet at samba.org
Sun Jun 6 10:19:07 UTC 2021
On Thu, 2021-04-22 at 22:11 +0200, Kees van Vloten via samba wrote:
> Hi,
>
> I have freshly setup 2 lxc containers with Samba 4.13 on Debian Buster
> (installed from apt.van-belle.nl/debian).
> The first runs samba-ad-dc, the second has samba + winbind and has
> joined the AD domain.
>
> A domain user is created with samba-tool with the option
> --must-change-at-next-login. A login with the user succeeds the first
> time some interesting output:
>
> kvv at bach:~$ ssh grieg
> kvv at grieg's password:
> Password expired. You must change it now.
> Password change rejected: Try a more complex password, or contact your
> administrator.. Please try again.
>
> Password change rejected: Try a more complex password, or contact your
> administrator.. Please try again.
>
> Your password has expired
> Linux grieg 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
>
> The programs included with the Debian GNU/Linux system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> Last login: Mon Apr 12 20:08:22 2021 from 192.168.10.1
> kvv at grieg:~$
>
> In the login sequence I never got the opportunity to enter a new password.
>
This isn't good. If this is password authentication or Kerberos
authentication to ssh?
If this is about Kerberos, then the KDC should be enforcing the must-
change-at-next login, so that error should have happened at the kinit
point.
if this is password authentication, then this should be enforced by
pam_winbind.
I agree either way something is wrong about the user experience, and
you can file a bug.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba
mailing list