[Samba] Winbind - Login succeeds while password is expired (set with --must-change-at-next-login)
rpenny at samba.org
Sun Jun 6 10:52:09 UTC 2021
On 06/06/2021 11:20, Kees van Vloten wrote:
> The problem is not on the DC, users do not login there.
> There are some member-servers that do need domain-user logins, e.g.
> over ssh.
> I have already found out that sssd is not good to maintain the
> computer-account password, does not support ntlm and really want the
> same tool for id-mapping everywhere. Since that is winbind on the DC
> and on the SMB-fileserver, the idea is to use it on other member
> servers for NSS as well.
> However due to https://bugzilla.samba.org/show_bug.cgi?id=14622
> pam-winbind is not the right tool for user logins. I tried pam-sss
> instead with good results.
> That's the background.
> - Would pam-sss + winbind for NSS work on a member-server?
Probably, possibly, but you only get authentication, so you might just
as well use sssd by itself. If you want shares, then you really need the
full Samba stack.
> - Does the combination nslcd, pam, ldap provide the users with a
> kerberos ticket?
It has been sometime since I used nslcd, but I believe so.
Of course it would be so much better if that bug was fixed, it is (in my
opinion) a security bug, disabled users or users with expired passwords
should not be able to login by any method.
More information about the samba