Web lists-archives.com

Re: [Samba] Users cannot change their passwords




On Tue, 2018-09-25 at 09:59 +0100, Rowland Penny via samba wrote:
> On Tue, 25 Sep 2018 20:49:07 +1200
> Andrew Bartlett <abartlet@xxxxxxxxx> wrote:
> 
> > On Tue, 2018-09-25 at 09:44 +0100, Rowland Penny via samba wrote:
> > > On Mon, 24 Sep 2018 21:22:06 GMT
> > > "Torin Woltjer" <torin.woltjer@xxxxxxxxxxxxx> wrote:
> > > 
> > > > 
> > > > Thanks for the quick reply, I believe I am using MIT based on
> > > > log
> > > > file names; but is there a better way to tell? I'm not very
> > > > knowledgeable about the distinction between MIT and Heimdal
> > > > regarding
> > > > KDC. Can you direct me to a resource that explains how to make
> > > > the
> > > > switch as I am just using the  defaults in SUSE. Additionally,
> > > > many of the domains experiencing this bug were working fine;
> > > > before migrating them from Ubuntu 16.04. Is this because the
> > > > bug
> > > > was introduced in a newer version that I am now using? Is the
> > > > bug
> > > > fixed in a version newer than what I am using now?
> > > > 
> > > > Thanks again, I appreciate the help.
> > > > 
> > > > Torin Woltjer
> > > >  
> > > > Grand Dial Communications - A ZK Tech Inc. Company
> > > >  
> > > > 616.776.1066 ext. 2006
> > > > www.granddial.com
> > > > 
> > > > 
> > > 
> > > Took some finding, but I am now very sure that the opensuse Samba
> > > AD
> > > DC
> > > uses MIT instead of Heimdal, so this makes it inadvisable to use
> > > in
> > > production. There are just too many problems to make it usable,
> > > the
> > > password problem being one of them.
> > > 
> > > I am sorry, but, as far as I am aware, there is no RPM based
> > > distro
> > > that has production ready Samba packages, I also have a feeling
> > > that
> > > the Ubuntu packages now use MIT, so this really just leaves
> > > Debian
> > > etc.
> > 
> > I've not seen any indication that Ubuntu has changed to MIT
> > Kerberos,
> > thankfully.
> > 
> > Andrew Bartlett
> > 
> 
> I thought I had seen it somewhere, but I bow to your superior
> knowledge.
> 
> Rowland
> 

Following the advice here "Verifying if Samba Has Been Built with MIT
Kerberos Support"  
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

... in reverse:

$ cat /etc/os-release 
NAME="Ubuntu"
VERSION="18.04.1 LTS (Bionic Beaver)"

$ smbd -b | grep HAVE_LIBKADM5SRV_MIT
$ 

So, no MIT involved on Ubuntu

Cheers
Jon
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba