Web lists-archives.com

Re: [Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work





Hi Rowland,
Thanks for the informations.
Yes, the Fedora Samba 4 package is built with MIT kerberos.
I know it is still 'fresh' so that is what i do - run tests :-).
Actually this thing with password expiration, is only thing i found so far, otherwise, it 'behaved' surprisingly well.

Thanks again!
Karel


--
*Karel Lang*
*Unix/Linux Administration*
lang@xxxxxx | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

On 09/12/2018 05:57 PM, Rowland Penny via samba wrote:
On Wed, 12 Sep 2018 17:16:39 +0200
Karel Lang AFD via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hello,
if anybody would kindly have anything to advice, please, please -
do :-)


SETUP:
Fedora 28 + Samba 4.8.5 AD  (testing environment consisting of 1
Samba server and 1 joined windows machine and 1 account) :-)

PROBLEM:
the "--must-change-at-next-login" is the problematic part

after creating user, with this attribute the user is authenticated OK
during FIRST Logon BUT!! when challenged to CHANGE password (as
expected) he/she can not change the pw as the DOMAIN stubbornly,
repeatedly says: password is EXPIRED


Replication of problem:
- install Fedora 28
- install Samba:
yum install samba samba-dc samba-krb5-printing samba-pidl samba-test
samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob
oddjob-mkhomedir adcli

- DNS setting, IP address setting, turn off firewalld, turn off
NetworkManager, tunr off SELinux

- provision of SAmba:
samba-tool domain provision --use-rfc2307 --interactive

- start samba and add group and user:
systemctl start samba.service


This would be using MIT for the KDC, is this correct ?
If it is, then running A DC on red-hat using the OS packages (i.e. with
MIT) is still considered  experimental, there are still bits that do
not work, as you seem to have found out.

By all means use red-hat Samba packages for Unix domain members, or for
testing a DC, just don't use them for a DC in production.

Sorry ;-)

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba