Ken McDonald
2018-Jan-31 17:23 UTC
[Samba] Changing expired Samba AD password during Windows login
I went back and re-installed on a clean VM of Ubuntu Server 16.04.3 and built Samba 4.7.4 with default configuration and it works just fine to change expired passwords at login. I should have tested this default configuration a while back. I was trying to use MIT Kerberos instead of Hemidal and had followed all the directions on this link: https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC In order to make all the builds work for MIT Kerberos and Samba 4.7.4 on Ubuntu Server 16.04.3, I had to install a lot of other related dependencies and customize install paths, etc. There must be something incorrect with my config that is causing the expired password problem. As I understand it, using MIT Kerberos instead of Heimdal is the preferred way of implementing a Samba AD to ensure the widest level of compatibility with the overall Windows Server ecosphere? Yes? On 01/29/2018 01:52 PM, Kacper Wirski via samba wrote:> I can only share my experience: > > domain with only samba DC's (started from samba 4.4 updated to 4.7 in > the meantime), windows clients (vista, 7, 8.1 and 10) no problem > whatsoever, passwords are changed every X days, and users have no > problem with the procedure (prompt "your password has expired" -> user > enters new password -> "you password was changed" -> OK) and that's it. > > Only samba-tool was used to enforce password policy, I didn't need to > set anything in GPO in order to make it work. > > Only thing that is coming to my mind is maybe an issue with kerberos? > I know for a fact, that windows since august 2016 requires kerberos to > change expired password. Other than this I'm sorry. > > > W dniu 29.01.2018 o 13:49, Ken McDonald via samba pisze: >> Ok, so I tried all the suggestions without success. >> >> Unless I hear back from someone saying it is NOT possible for a user >> to change an expired password during login from a Domain account on a >> Samba 4.7.4 AD domain (only 1 DC, and I also tried latest dev >> release), then I will proceed with more in-depth troubleshooting, log >> file debugging, and mock-up VM's in order to determine what is >> happening. >> >> Effectively for me, Samba AD is unusable unless users can change an >> expired password during login like they can when running on a pure >> Windows Server AD domain. >> >> Thanks for everyone (anyone?) and their assistance! >> > >
Micha Ballmann
2018-Jan-31 19:24 UTC
[Samba] Changing expired Samba AD password during Windows login
Waiting Ubuntu 18.04. No extra compiling for MIT Kerberos need. There are all dependencies you need: # apt-get install acl attr autoconf bind9utils bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls28-dev libgpgme-dev libjson-perl libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev nettle-dev perl perl-modules-5.26 pkg-config python-all-dev python-crypto python-dbg python-dev python-dnspython python3-dnspython python-gpg python3-gpg python-markdown python3-markdown python3-dev xsltproc zlib1g-dev libkrb5-dev krb5-kdc Am 31. Januar 2018 18:23:56 MEZ schrieb Ken McDonald via samba <samba at lists.samba.org>:>I went back and re-installed on a clean VM of Ubuntu Server 16.04.3 and > >built Samba 4.7.4 with default configuration and it works just fine to >change expired passwords at login. I should have tested this default >configuration a while back. > >I was trying to use MIT Kerberos instead of Hemidal and had followed >all >the directions on this link: > >https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC > >In order to make all the builds work for MIT Kerberos and Samba 4.7.4 >on >Ubuntu Server 16.04.3, I had to install a lot of other related >dependencies and customize install paths, etc. There must be something >incorrect with my config that is causing the expired password problem. > >As I understand it, using MIT Kerberos instead of Heimdal is the >preferred way of implementing a Samba AD to ensure the widest level of >compatibility with the overall Windows Server ecosphere? Yes? > > > >On 01/29/2018 01:52 PM, Kacper Wirski via samba wrote: >> I can only share my experience: >> >> domain with only samba DC's (started from samba 4.4 updated to 4.7 in > >> the meantime), windows clients (vista, 7, 8.1 and 10) no problem >> whatsoever, passwords are changed every X days, and users have no >> problem with the procedure (prompt "your password has expired" -> >user >> enters new password -> "you password was changed" -> OK) and that's >it. >> >> Only samba-tool was used to enforce password policy, I didn't need to > >> set anything in GPO in order to make it work. >> >> Only thing that is coming to my mind is maybe an issue with kerberos? > >> I know for a fact, that windows since august 2016 requires kerberos >to >> change expired password. Other than this I'm sorry. >> >> >> W dniu 29.01.2018 o 13:49, Ken McDonald via samba pisze: >>> Ok, so I tried all the suggestions without success. >>> >>> Unless I hear back from someone saying it is NOT possible for a user > >>> to change an expired password during login from a Domain account on >a >>> Samba 4.7.4 AD domain (only 1 DC, and I also tried latest dev >>> release), then I will proceed with more in-depth troubleshooting, >log >>> file debugging, and mock-up VM's in order to determine what is >>> happening. >>> >>> Effectively for me, Samba AD is unusable unless users can change an >>> expired password during login like they can when running on a pure >>> Windows Server AD domain. >>> >>> Thanks for everyone (anyone?) and their assistance! >>> >> >> > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba-- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
Ken McDonald
2018-Feb-01 00:01 UTC
[Samba] Changing expired Samba AD password during Windows login
On another clean install (with all updates) of Ubuntu Server 16.04.3, trying your line of dependencies fails: Package libgpgme-dev is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source E: Package 'libgpgme-dev' has no installation candidate E: Unable to locate package perl-modules-5.26 E: Couldn't find any package by glob 'perl-modules-5.26' E: Couldn't find any package by regex 'perl-modules-5.26' E: Unable to locate package python-gpg E: Unable to locate package python3-gpg Regardless, using plain apt-get on that version of Ubuntu results in krb5-kdc (1.13.2+dfsg-5ubuntu2 Ubuntu:16.04/xenial-updates [amd64]) libkrb5-dev (1.13.2+dfsg-5ubuntu2 Ubuntu:16.04/xenial-updates [amd64]) When the Samba install/build docs state that version "MIT Kerberos 1.15.1 or later" is required. I couldn't figure out how to install that version on Ubuntu 16.04.3 without just downloading the krb5 sources and compiling myself. Doing that required a lot of other tweaking to get all the krb5 dependencies and install directories "correct" to complete the build and have a subsequent Samba 4.7.4 build actually find a functioning krb5 On 01/31/2018 02:24 PM, Micha Ballmann wrote:> apt-get install acl attr autoconf bind9utils bison build-essential > debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev > krb5-user libacl1-dev libaio-dev libarchive-dev libattr1-dev > libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls28-dev > libgpgme-dev libjson-perl libldap2-dev libncurses5-dev libpam0g-dev > libparse-yapp-perl libpopt-dev libreadline-dev nettle-dev perl > perl-modules-5.26 pkg-config python-all-dev python-crypto python-dbg > python-dev python-dnspython python3-dnspython python-gpg python3-gpg > python-markdown python3-markdown python3-dev xsltproc zlib1g-dev > libkrb5-dev krb5-kdc