samba - Feb 2018 - Changing expired Samba AD password during Windows login

I went back and re-installed on a clean VM of Ubuntu Server 16.04.3 and 
built Samba 4.7.4 with default configuration and it works just fine to 
change expired passwords at login. I should have tested this default 
configuration a while back.

I was trying to use MIT Kerberos instead of Hemidal and had followed all 
the directions on this link:

https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

In order to make all the builds work for MIT Kerberos and Samba 4.7.4 on 
Ubuntu Server 16.04.3, I had to install a lot of other related 
dependencies and customize install paths, etc. There must be something 
incorrect with my config that is causing the expired password problem.

As I understand it, using MIT Kerberos instead of Heimdal is the 
preferred way of implementing a Samba AD to ensure the widest level of 
compatibility with the overall Windows Server ecosphere? Yes?



On 01/29/2018 01:52 PM, Kacper Wirski via samba wrote:
> I can only share my experience:
>
> domain with only samba DC's (started from samba 4.4 updated to 4.7 in 
> the meantime), windows clients (vista, 7, 8.1 and 10) no problem 
> whatsoever, passwords are changed every X days, and users have no 
> problem with the procedure (prompt "your password has expired"
-> user
> enters new password -> "you password was changed" -> OK)
and that's it.
>
> Only samba-tool was used to enforce password policy, I didn't need to 
> set anything in GPO in order to make it work.
>
> Only thing that is coming to my mind is maybe an issue with kerberos? 
> I know for a fact, that windows since august 2016 requires kerberos to 
> change expired password. Other than this I'm sorry.
>
>
> W dniu 29.01.2018 o 13:49, Ken McDonald via samba pisze:
>> Ok, so I tried all the suggestions without success.
>>
>> Unless I hear back from someone saying it is NOT possible for a user 
>> to change an expired password during login from a Domain account on a 
>> Samba 4.7.4 AD domain (only 1 DC, and I also tried latest dev 
>> release), then I will proceed with more in-depth troubleshooting, log 
>> file debugging, and mock-up VM's in order to determine what is 
>> happening.
>>
>> Effectively for me, Samba AD is unusable unless users can change an 
>> expired password during login like they can when running on a pure 
>> Windows Server AD domain.
>>
>> Thanks for everyone (anyone?) and their assistance!
>>
>
>

Waiting Ubuntu 18.04. No extra compiling for MIT Kerberos need.

There are all dependencies you need:

# apt-get install acl attr autoconf bind9utils bison build-essential debhelper
dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user libacl1-dev
libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev
libcups2-dev libgnutls28-dev libgpgme-dev libjson-perl libldap2-dev
libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev
nettle-dev perl perl-modules-5.26 pkg-config python-all-dev python-crypto
python-dbg python-dev python-dnspython python3-dnspython python-gpg python3-gpg
python-markdown python3-markdown python3-dev xsltproc zlib1g-dev libkrb5-dev
krb5-kdc



Am 31. Januar 2018 18:23:56 MEZ schrieb Ken McDonald via samba <samba at
lists.samba.org>:
>I went back and re-installed on a clean VM of Ubuntu Server 16.04.3 and
>
>built Samba 4.7.4 with default configuration and it works just fine to 
>change expired passwords at login. I should have tested this default 
>configuration a while back.
>
>I was trying to use MIT Kerberos instead of Hemidal and had followed
>all 
>the directions on this link:
>
>https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
>
>In order to make all the builds work for MIT Kerberos and Samba 4.7.4
>on 
>Ubuntu Server 16.04.3, I had to install a lot of other related 
>dependencies and customize install paths, etc. There must be something 
>incorrect with my config that is causing the expired password problem.
>
>As I understand it, using MIT Kerberos instead of Heimdal is the 
>preferred way of implementing a Samba AD to ensure the widest level of 
>compatibility with the overall Windows Server ecosphere? Yes?
>
>
>
>On 01/29/2018 01:52 PM, Kacper Wirski via samba wrote:
>> I can only share my experience:
>>
>> domain with only samba DC's (started from samba 4.4 updated to 4.7
in
>
>> the meantime), windows clients (vista, 7, 8.1 and 10) no problem 
>> whatsoever, passwords are changed every X days, and users have no 
>> problem with the procedure (prompt "your password has
expired" ->
>user 
>> enters new password -> "you password was changed" ->
OK) and that's
>it.
>>
>> Only samba-tool was used to enforce password policy, I didn't need
to
>
>> set anything in GPO in order to make it work.
>>
>> Only thing that is coming to my mind is maybe an issue with kerberos?
>
>> I know for a fact, that windows since august 2016 requires kerberos
>to 
>> change expired password. Other than this I'm sorry.
>>
>>
>> W dniu 29.01.2018 o 13:49, Ken McDonald via samba pisze:
>>> Ok, so I tried all the suggestions without success.
>>>
>>> Unless I hear back from someone saying it is NOT possible for a
user
>
>>> to change an expired password during login from a Domain account on
>a 
>>> Samba 4.7.4 AD domain (only 1 DC, and I also tried latest dev 
>>> release), then I will proceed with more in-depth troubleshooting,
>log 
>>> file debugging, and mock-up VM's in order to determine what is 
>>> happening.
>>>
>>> Effectively for me, Samba AD is unusable unless users can change an
>>> expired password during login like they can when running on a pure 
>>> Windows Server AD domain.
>>>
>>> Thanks for everyone (anyone?) and their assistance!
>>>
>>
>>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

On another clean install (with all updates) of Ubuntu Server 16.04.3, 
trying your line of dependencies fails:

Package libgpgme-dev is not available, but is referred to by another 
package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'libgpgme-dev' has no installation candidate
E: Unable to locate package perl-modules-5.26
E: Couldn't find any package by glob 'perl-modules-5.26'
E: Couldn't find any package by regex 'perl-modules-5.26'
E: Unable to locate package python-gpg
E: Unable to locate package python3-gpg

Regardless, using plain apt-get on that version of Ubuntu results in

krb5-kdc (1.13.2+dfsg-5ubuntu2 Ubuntu:16.04/xenial-updates [amd64])

libkrb5-dev (1.13.2+dfsg-5ubuntu2 Ubuntu:16.04/xenial-updates [amd64])

When the Samba install/build docs state that version "MIT Kerberos 
1.15.1 or later" is required. I couldn't figure out how to install that
version on Ubuntu 16.04.3 without just downloading the krb5 sources and 
compiling myself. Doing that required a lot of other tweaking to get all 
the krb5 dependencies and install directories "correct" to complete
the
build and have a subsequent Samba 4.7.4 build actually find a 
functioning krb5


On 01/31/2018 02:24 PM, Micha Ballmann wrote:
> apt-get install acl attr autoconf bind9utils bison build-essential 
> debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev 
> krb5-user libacl1-dev libaio-dev libarchive-dev libattr1-dev 
> libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls28-dev 
> libgpgme-dev libjson-perl libldap2-dev libncurses5-dev libpam0g-dev 
> libparse-yapp-perl libpopt-dev libreadline-dev nettle-dev perl 
> perl-modules-5.26 pkg-config python-all-dev python-crypto python-dbg 
> python-dev python-dnspython python3-dnspython python-gpg python3-gpg 
> python-markdown python3-markdown python3-dev xsltproc zlib1g-dev 
> libkrb5-dev krb5-kdc