Web lists-archives.com

Re: [Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work




On Wed, 12 Sep 2018 17:16:39 +0200
Karel Lang AFD via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> if anybody would kindly have anything to advice, please, please -
> do :-)
> 
> 
> SETUP:
> Fedora 28 + Samba 4.8.5 AD  (testing environment consisting of 1
> Samba server and 1 joined windows machine and 1 account) :-)
> 
> PROBLEM:
> the "--must-change-at-next-login" is the problematic part
> 
> after creating user, with this attribute the user is authenticated OK 
> during FIRST Logon BUT!! when challenged to CHANGE password (as 
> expected) he/she can not change the pw as the DOMAIN stubbornly, 
> repeatedly says: password is EXPIRED
> 
> 
> Replication of problem:
> - install Fedora 28
> - install Samba:
> yum install samba samba-dc samba-krb5-printing samba-pidl samba-test 
> samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob 
> oddjob-mkhomedir adcli
> 
> - DNS setting, IP address setting, turn off firewalld, turn off 
> NetworkManager, tunr off SELinux
> 
> - provision of SAmba:
> samba-tool domain provision --use-rfc2307 --interactive
> 
> - start samba and add group and user:
> systemctl start samba.service
> 

This would be using MIT for the KDC, is this correct ?
If it is, then running A DC on red-hat using the OS packages (i.e. with
MIT) is still considered  experimental, there are still bits that do
not work, as you seem to have found out.

By all means use red-hat Samba packages for Unix domain members, or for
testing a DC, just don't use them for a DC in production.

Sorry ;-)

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba