Re: [Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
- Date: Wed, 12 Sep 2018 19:06:44 +0200
- From: Karel Lang AFD via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
Thanks for the informations.
Yes, the Fedora Samba 4 package is built with MIT kerberos.
I know it is still 'fresh' so that is what i do - run tests :-).
Actually this thing with password expiration, is only thing i found so
far, otherwise, it 'behaved' surprisingly well.
lang@xxxxxx | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
On 09/12/2018 05:57 PM, Rowland Penny via samba wrote:
On Wed, 12 Sep 2018 17:16:39 +0200
Karel Lang AFD via samba <samba@xxxxxxxxxxxxxxx> wrote:
if anybody would kindly have anything to advice, please, please -
Fedora 28 + Samba 4.8.5 AD (testing environment consisting of 1
Samba server and 1 joined windows machine and 1 account) :-)
the "--must-change-at-next-login" is the problematic part
after creating user, with this attribute the user is authenticated OK
during FIRST Logon BUT!! when challenged to CHANGE password (as
expected) he/she can not change the pw as the DOMAIN stubbornly,
repeatedly says: password is EXPIRED
Replication of problem:
- install Fedora 28
- install Samba:
yum install samba samba-dc samba-krb5-printing samba-pidl samba-test
samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob
- DNS setting, IP address setting, turn off firewalld, turn off
NetworkManager, tunr off SELinux
- provision of SAmba:
samba-tool domain provision --use-rfc2307 --interactive
- start samba and add group and user:
systemctl start samba.service
This would be using MIT for the KDC, is this correct ?
If it is, then running A DC on red-hat using the OS packages (i.e. with
MIT) is still considered experimental, there are still bits that do
not work, as you seem to have found out.
By all means use red-hat Samba packages for Unix domain members, or for
testing a DC, just don't use them for a DC in production.
To unsubscribe from this list go to the following URL and read the