[Samba] Users unable to reset passwords

Mark Foley mfoley at novatec-inc.com
Sat May 17 04:46:20 UTC 2025 

I'm trying to solve a couple of problems with Samba 4.18.19 and Windows 11. I've
described these in detail in previous messages in this thread, so I'll be brief
here:

1.  Not all users get notified of password expiration and in any case, if they
permit their passwords to expire they cannot reset with the "reset password"
dialog.  I have to do so with samba-tool. 

2. The Redirected Folder Policy does not work.

Both of these features worked fine with Samba 4.8.2 and Windows 10.

I am running Slackware 15.0 and although I've been encouraged to move on to
Debian, I've been running Samba as AD/DC on Slackware for 11 years without
actual problem, so I'll see what I can do before abandoning that ship.

I'm going to test 3 ways:

A. I will upgrade Samba to the latest 4.22.1, downloaded from samba.org, but
keeping all the domain users, group, policies, etc.

B. If that doesn't work I will wipe the system and install and provision 4.22.1
from scratch.

C. If that doesn't work I will stage an actual Windows DC and see if the problem
exists on that platform.

If B does not work but C does, I'll file a bug report for Samba. Then I'll have
to decide whether I want to live with the password/redirected-folders issues on
Samba or go with Windows. My inclination is to stick with Samba anyway as its
better security and normally easier management is why I went with Samba over
Windows 11 years ago.

Results thus far:

Plan A

Slackware Samaba uses MIT Kerberos, but my installation of that was
too old for Samba 4.22.1 so I switched to Heimdal (I think). After researching
what went where my configure options were:

./configure --prefix /var/lib/samba/ --sbindir=/usr/sbin/ \
  --sysconfdir=/etc/samba/ --without-systemd --bindir=/usr/bin --disable-cups

Testing on Plan A gives mixed results. Testing per "Verifying the File Server":
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_the_File_Server_(Optional)
gives:

# smbclient -L localhost -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        Users           Disk      user folders for redirection
        sysvol          Disk      
        netlogon        Disk      
        IPC$            IPC       IPC Service (Samba 4.22.1)
SMB1 disabled -- no workgroup available

# smbclient //localhost/netlogon -UAdministrator -c 'ls'
  .                                   D        0  Thu Jan 18 21:51:48 2024
  ..                                  D        0  Thu Jan 18 21:51:48 2024

                1913467748 blocks of size 1024. 1792046828 blocks available

Verifying DNS (Optional)

# host -t SRV _ldap._tcp.hprs.local.
Host _ldap._tcp.hprs.local. not found: 3(NXDOMAIN)

# host -t SRV _kerberos._udp.mail.hprs.local.
Host _kerberos._udp.mail.hprs.local. not found: 3(NXDOMAIN)

# host -t A mail.hprs.local.
Host mail.hprs.local. not found: 3(NXDOMAIN)

# host -t PTR 192.168.0.2
Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

# kinit administrator
kinit: Cannot find KDC for realm "HPRS.LOCAL" while getting initial credentials

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at HPRS.LOCAL

Valid starting       Expires              Service principal
05/07/2025 14:11:16  05/08/2025 00:11:16  krbtgt/HPRS.LOCAL at HPRS.LOCAL
        renew until 05/08/2025 14:11:10

So, a few things. Maybe I need to forget plan A and got to plan B.

It looks like the smbclient things worked, but none of the verifying DNS tests
worked. The IP for mail.hprs.local isn't found, yet the list of A records does
show it at 192.168.0.2.

I initially provisioned with --dns-backend=SAMBA_INTERNAL

kinit fails, but klist appears to succeed.  Interestingly, the only kinit/klist
on the system is /usr/bin/kinit and /usr/bin/klist, both dated Jul 12 2023,
which I think is the old one from MIT Kerberos. 

More:

wbinfo -u (does show all domain users)

wbinfo -g (does show all domain groups)

getent passwd mark (returns nothing)

getent group Domain\ Users (returns nothing)

Is there something I'm not enabling, or should I just move on to plan B and
scratch install and provision with Samba 4.22.1?

Sorry for the lenght of this message!

Thanks --Mark



--54E33TH2016133.1747191809/server.novatec-inc.com--

More information about the samba mailing list