Rowland penny
2016-Jan-14 09:36 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
On 14/01/16 05:54, Mark Foley wrote:> Hmmm, this message is a week old and nothing? > > I know many of you have domain member hosts in your domain and surely are logging in as domain > users authenticating with the Samba4 AD/DC, right? > > How do you change your password without having the domain Administrator do it for you? > > --Mark > > -----Original Message----- > From: Mark Foley <mfoley at ohprs.org> > Date: Fri, 08 Jan 2016 12:10:16 -0500 > To: samba at lists.samba.org > Subject: [Samba] Samba AD/DC, Single-Sign-On, > domain users cannot change password > > I have successfully joined my Linux/Ubuntu workstation to the Samaba AD/DC domain thanks to > help from Rowland Penny. > > Now I face an interesting problem ... Domain users cannot change their password. > > Domain users can successfully login to the Linux workstation using their domain credentials, > but when the user tries to change the password using "Passwords and Keys" from the desktop > utility, it does nothing. > > Trying to change the password from a terminal session using `passwd` gives the prompt: "Current > Kerberos password:" but entering the current domain password is not accepted and the prompt repeats. > > If the Domain Administrator set the user's account to "User must change password at next > login", or if the domain policy expires passwords after so-many days, the user cannot log into > the Linux workstations -- the display manager login dialog spins for several minutes, then > shows, "Invalid password, please try again." > > This is serious. How does a domain user change his own password? > > HELP! > > --Mark >Using 'passwd' does work, but pam has to be setup correctly and you cannot change the password on the first day unless you change the minimum password age to '0' Changing the password at login has nothing to do with Samba (provided you can change it from the CLI, see above), it is down to your login manager. Rowland
Rowland penny
2016-Jan-14 12:16 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
On 14/01/16 09:36, Rowland penny wrote:> On 14/01/16 05:54, Mark Foley wrote: >> Hmmm, this message is a week old and nothing? >> >> I know many of you have domain member hosts in your domain and surely >> are logging in as domain >> users authenticating with the Samba4 AD/DC, right? >> >> How do you change your password without having the domain >> Administrator do it for you? >> >> --Mark >> >> -----Original Message----- >> From: Mark Foley <mfoley at ohprs.org> >> Date: Fri, 08 Jan 2016 12:10:16 -0500 >> To: samba at lists.samba.org >> Subject: [Samba] Samba AD/DC, Single-Sign-On, >> domain users cannot change password >> >> I have successfully joined my Linux/Ubuntu workstation to the Samaba >> AD/DC domain thanks to >> help from Rowland Penny. >> >> Now I face an interesting problem ... Domain users cannot change >> their password. >> >> Domain users can successfully login to the Linux workstation using >> their domain credentials, >> but when the user tries to change the password using "Passwords and >> Keys" from the desktop >> utility, it does nothing. >> >> Trying to change the password from a terminal session using `passwd` >> gives the prompt: "Current >> Kerberos password:" but entering the current domain password is not >> accepted and the prompt repeats. >> >> If the Domain Administrator set the user's account to "User must >> change password at next >> login", or if the domain policy expires passwords after so-many days, >> the user cannot log into >> the Linux workstations -- the display manager login dialog spins for >> several minutes, then >> shows, "Invalid password, please try again." >> >> This is serious. How does a domain user change his own password? >> >> HELP! >> >> --Mark >> > > Using 'passwd' does work, but pam has to be setup correctly and you > cannot change the password on the first day unless you change the > minimum password age to '0' > > Changing the password at login has nothing to do with Samba (provided > you can change it from the CLI, see above), it is down to your login > manager. > > Rowland > >OK, I use Mate on debian wheezy and after a bit of testing, I have found that you can change a users AD password with the gdm3 login manager. Rowland
Mark Foley
2016-Jan-15 05:21 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
On January 14, 2016 at 12:16 Rowland Penny wrote:> Using 'passwd' does work, but pam has to be setup correctly and you > cannot change the password on the first day unless you change the > minimum password age to '0'You answer piles of questions on this list, so you may not remember, but you helped me set this whole domain-member/single logon thing last October. The only thing you had me change with the as-installed PAM configuration was to add to /etc/pam.d/common-account: session required pam_mkhomedir.so skel=/etc/skel/ umask=0002 I also found I needed to change a line in /etc/pam.d/common-password to: password [success=3 default=ignore] pam_krb5.so minimum_uid=10000 (instead of minimum_uid=1000) in order to have my non-domain local users be able to change their passwords using passwd. If there is a PAM file I can post to verify it's correctness, I'd be happy to do that.> OK, I use Mate on debian wheezy and after a bit of testing, I have found > that you can change a users AD password with the gdm3 login manager.I will investigate gmd3 and post back results. I am using Cinnamon on Ubuntu 15.10, but I suppose it should work. Thanks for your response! --Mark -----Original Message-----> To: samba at lists.samba.org > From: Rowland penny <rpenny at samba.org> > Date: Thu, 14 Jan 2016 12:16:22 +0000 > Subject: Re: [Samba] Samba AD/DC, Single-Sign-On, > > On 14/01/16 09:36, Rowland penny wrote: > > On 14/01/16 05:54, Mark Foley wrote: > >> Hmmm, this message is a week old and nothing? > >> > >> I know many of you have domain member hosts in your domain and surely > >> are logging in as domain > >> users authenticating with the Samba4 AD/DC, right? > >> > >> How do you change your password without having the domain > >> Administrator do it for you? > >> > >> --Mark > >> > >> -----Original Message----- > >> From: Mark Foley <mfoley at ohprs.org> > >> Date: Fri, 08 Jan 2016 12:10:16 -0500 > >> To: samba at lists.samba.org > >> Subject: [Samba] Samba AD/DC, Single-Sign-On, > >> domain users cannot change password > >> > >> I have successfully joined my Linux/Ubuntu workstation to the Samaba > >> AD/DC domain thanks to > >> help from Rowland Penny. > >> > >> Now I face an interesting problem ... Domain users cannot change > >> their password. > >> > >> Domain users can successfully login to the Linux workstation using > >> their domain credentials, > >> but when the user tries to change the password using "Passwords and > >> Keys" from the desktop > >> utility, it does nothing. > >> > >> Trying to change the password from a terminal session using `passwd` > >> gives the prompt: "Current > >> Kerberos password:" but entering the current domain password is not > >> accepted and the prompt repeats. > >> > >> If the Domain Administrator set the user's account to "User must > >> change password at next > >> login", or if the domain policy expires passwords after so-many days, > >> the user cannot log into > >> the Linux workstations -- the display manager login dialog spins for > >> several minutes, then > >> shows, "Invalid password, please try again." > >> > >> This is serious. How does a domain user change his own password? > >> > >> HELP! > >> > >> --Mark > >> > > > > Using 'passwd' does work, but pam has to be setup correctly and you > > cannot change the password on the first day unless you change the > > minimum password age to '0' > > > > Changing the password at login has nothing to do with Samba (provided > > you can change it from the CLI, see above), it is down to your login > > manager. > > > > Rowland > > > > > > OK, I use Mate on debian wheezy and after a bit of testing, I have found > that you can change a users AD password with the gdm3 login manager. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- Samba AD/DC, Single-Sign-On, domain users cannot change password
- Samba AD/DC, Single-Sign-On, domain users cannot change password
- Samba AD/DC, Single-Sign-On, domain users cannot change password
- Where is password expiration notice period
- Users list and the date the password will expire