Rowland penny
2021-Jun-06 10:09 UTC
[Samba] Winbind - Login succeeds while password is expired (set with --must-change-at-next-login)
On 06/06/2021 10:57, Kees van Vloten wrote:> On 22-04-2021 23:36, Rowland penny via samba wrote: >> On 22/04/2021 21:45, Kees van Vloten wrote: >>> On 22-04-2021 22:31, Rowland penny via samba wrote: >>>> On 22/04/2021 21:11, Kees van Vloten via samba wrote: >>>>> Hi, >>>>> >>>>> I have freshly setup 2 lxc containers with Samba 4.13 on Debian >>>>> Buster (installed from apt.van-belle.nl/debian). >>>>> The first runs samba-ad-dc, the second has samba + winbind and has >>>>> joined the AD domain. >>>>> >>>>> A domain user is created with samba-tool with the option >>>>> --must-change-at-next-login. A login with the user succeeds the >>>>> first time some interesting output: >>>>> >>>>> kvv at bach:~$ ssh grieg >>>>> kvv at grieg's password: >>>>> Password expired.? You must change it now. >>>>> Password change rejected: Try a more complex password, or contact >>>>> your administrator..? Please try again. >>>>> >>>>> Password change rejected: Try a more complex password, or contact >>>>> your administrator..? Please try again. >>>>> >>>>> Your password has expired >>>>> Linux grieg 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) >>>>> x86_64 >>>> >>>> >>>> I think you have run into this bug: >>>> >>>> https://bugzilla.samba.org/show_bug.cgi?id=14622 >>>> >>>> Rowland >>>> >>>> >>>> >>> Hi Rowland, >>> >>> I am not sure that bug is applicable since I have no ssh-keys >>> configured on the user. >>> >>> The bug says that scenario does work with SSSD, I have actually >>> tried SSSD before winbind. SSSD is different, it does present a >>> change password sequence let's me change it (it does get changed in >>> AD as well) but at the next login it wants me to change it again and >>> it continues to do so, i.e. I cannot login. >>> >>> -- >>> Kees van Vloten >>> >> >> I was really referring to the fact that winbind and PAM do not really >> work for anything but authentication (you can login via ssh with a >> disabled user) and, as far as I am aware, you cannot change a users >> password via winbind. I just don't think there is the code to do what >> you are trying, but I am very willing to be proved wrong. >> >> Rowland >> >> > Ho Rowland, > > Another option is using sssd, but sssd has a number of issues with > samba-addc, i.e. not the best alternative :-(No, you cannot use sssd on a DC, its winbind based components interfere with the Winbind that the DC uses.> > Would it be feasible to use winbind for nss and sssd for pam?No> That would avoid the issues with sssd (computerpw update, idmapping > etc) and I also avoid the issues with pam-winbind described above.You could try using nslcd, this uses pam and ldap. Rowland