[Samba] Winbind - Login succeeds while password is expired (set with --must-change-at-next-login)

Rowland penny rpenny at samba.org
Sun Jun 6 10:52:09 UTC 2021

On 06/06/2021 11:20, Kees van Vloten wrote:
> The problem is not on the DC, users do not login there.
> There are some member-servers that do need domain-user logins, e.g. 
> over ssh.
> I have already found out that sssd is not good to maintain the 
> computer-account password, does not support ntlm and really want the 
> same tool for id-mapping everywhere. Since that is winbind on the DC 
> and on the SMB-fileserver, the idea is to use it on other member 
> servers for NSS as well.
> However due to https://bugzilla.samba.org/show_bug.cgi?id=14622 
> pam-winbind is not the right tool for user logins. I tried pam-sss 
> instead with good results.
> That's the background.
> - Would pam-sss + winbind for NSS work on a member-server?

Probably, possibly, but you only get authentication, so you might just 
as well use sssd by itself. If you want shares, then you really need the 
full Samba stack.

> - Does the combination nslcd, pam, ldap provide the users with a 
> kerberos ticket?

It has been sometime since I used nslcd, but I believe so.

Of course it would be so much better if that bug was fixed, it is (in my 
opinion) a security bug, disabled users or users with expired passwords 
should not be able to login by any method.


More information about the samba mailing list