Web lists-archives.com

Re: [Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work




Hello Andrew,

thanks for the kind information :-)

Yes, the bug seams to be it, or at least something very similar.
I tried to 'play' with domain password policies - expiration dates and such and i think:

1. the behaviour of expired password, where user can not change it - it is the expected behaviour on windows domain - please correct me if i am wrong? 2. i observed that the "--must-change-at-next-login" set somewhere the same attribute (expired password), just like when the password really expired - this is (i think not expected?) there should be different bit set for this parameter? Because if it is expired == not possible to change it, right?
But i'm no dev, so .. my 2c :-)

Anyway, i'll try to rebuild it with the H. kerberos as you suggested and see.


--
*Karel Lang*
*Unix/Linux Administration*
lang@xxxxxx | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

On 09/12/2018 06:13 PM, Andrew Bartlett via samba wrote:
On Wed, 2018-09-12 at 17:16 +0200, Karel Lang AFD via samba wrote:
Hello,
if anybody would kindly have anything to advice, please, please - do
:-)


SETUP:
Fedora 28 + Samba 4.8.5 AD  (testing environment consisting of 1
Samba
server and 1 joined windows machine and 1 account) :-)

PROBLEM:
the "--must-change-at-next-login" is the problematic part

after creating user, with this attribute the user is authenticated
OK
during FIRST Logon BUT!! when challenged to CHANGE password (as
expected) he/she can not change the pw as the DOMAIN stubbornly,
repeatedly says: password is EXPIRED


This looks like:

https://bugzilla.samba.org/show_bug.cgi?id=13517

To confirm that, can you rebuild the RPMs to use the internal Heimdal
and see if it still reproduces?

I've CC'ed Andreas who leads the effort to have Samba use the MIT KDC
in case he has any more input.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba