Andrew Bartlett
2021-Jun-06 10:19 UTC
[Samba] Winbind - Login succeeds while password is expired (set with --must-change-at-next-login)
On Thu, 2021-04-22 at 22:11 +0200, Kees van Vloten via samba wrote:> Hi, > > I have freshly setup 2 lxc containers with Samba 4.13 on Debian Buster > (installed from apt.van-belle.nl/debian). > The first runs samba-ad-dc, the second has samba + winbind and has > joined the AD domain. > > A domain user is created with samba-tool with the option > --must-change-at-next-login. A login with the user succeeds the first > time some interesting output: > > kvv at bach:~$ ssh grieg > kvv at grieg's password: > Password expired.? You must change it now. > Password change rejected: Try a more complex password, or contact your > administrator..? Please try again. > > Password change rejected: Try a more complex password, or contact your > administrator..? Please try again. > > Your password has expired > Linux grieg 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 > > The programs included with the Debian GNU/Linux system are free software; > the exact distribution terms for each program are described in the > individual files in /usr/share/doc/*/copyright. > > Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent > permitted by applicable law. > Last login: Mon Apr 12 20:08:22 2021 from 192.168.10.1 > kvv at grieg:~$ > > In the login sequence I never got the opportunity to enter a new password. >This isn't good. If this is password authentication or Kerberos authentication to ssh? If this is about Kerberos, then the KDC should be enforcing the must- change-at-next login, so that error should have happened at the kinit point. if this is password authentication, then this should be enforced by pam_winbind. I agree either way something is wrong about the user experience, and you can file a bug. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba