Ashish Yadav
2015-Jan-07 10:04 UTC
[Samba] Password Must Change using SSSD in Samba 4.1.10
Hi, I am trying to implement the *password must change at next logon* in CentOS 6.5 client using sssd 1.11.6 where Samba 4.1.10 is my backend server. Here are the list of things which I have done, 1. I have setup the CentOS to do the Domain login using sssd service. I can able to login into the CentOS client using Domain user's credentials from display and from SSH also, no problem at all. 2. Next thing which I want to implement is that password must change feature into Samba 4.1.10 server. To do that, I have been using Windows 7 ultimate which is already in Domain and I am using RSAT tools for users and groups where I have a option to check "password must change at next logon" option for particular user. After doing that Windows machine is honoring this and telling user to change the password and allowing user to login after changing the password. 3. As far as the CentOS client is concerned, it was not honoring the password must change and allowing user to login without asking for password change using sssd with current password. Here is the configuration file of sssd service, [sssd] config_file_version = 2 services = nss, pam domains = EXAMPLE sbus_timeout = 30 [nss] filter_users = root filter_groups = root reconnection_retries = 3 [pam] reconnection_retries = 3 offline_credentials_expiration = 0 [domain/EXAMPLE] entry_cache_timeout = 600 entry_cache_group_timeout = 600 min_id = 1000 id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_schema = rfc2307bis ldap_uri = ldap://smbad.intra.example.com:390/ ldap_search_base = dc=intra,dc=example,dc=com cache_credentials = true krb5_server = smbad.intra.example.com:8880 krb5_realm= INTRA.EXAMPLE.COM ldap_default_bind_dn = cn=admin,dc=intra,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = 6pNEn7Eo3zmz9MxciGLx 4. I have also tried to achieve above thing using command line tool "pdbedit" but without any luck. Here is the link < http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbeditthing>which I have followed. Please share your thoughts in order to help me and move forward to solve this problem. Thanks very much and regards, Ashishkumar S. Yadav
Rowland Penny
2015-Jan-07 10:11 UTC
[Samba] Password Must Change using SSSD in Samba 4.1.10
On 07/01/15 10:04, Ashish Yadav wrote:> Hi, > > I am trying to implement the *password must change at next logon* in CentOS > 6.5 client using sssd 1.11.6 where Samba 4.1.10 is my backend server. > > Here are the list of things which I have done, > > 1. I have setup the CentOS to do the Domain login using sssd service. I can > able to login into the CentOS client using Domain user's credentials from > display > and from SSH also, no problem at all. > > 2. Next thing which I want to implement is that password must change > feature into Samba 4.1.10 server. To do that, I have been using Windows 7 > ultimate > which is already in Domain and I am using RSAT tools for users and groups > where I have a option to check "password must change at next logon" option > for particular user. > After doing that Windows machine is honoring this and telling user to > change the password and allowing user to login after changing the password. > > 3. As far as the CentOS client is concerned, it was not honoring the > password must change and allowing user to login without asking for password > change using sssd with current password. > > Here is the configuration file of sssd service, > > [sssd] > config_file_version = 2 > services = nss, pam > domains = EXAMPLE > sbus_timeout = 30 > > [nss] > filter_users = root > filter_groups = root > reconnection_retries = 3 > > [pam] > reconnection_retries = 3 > offline_credentials_expiration = 0 > > [domain/EXAMPLE] > entry_cache_timeout = 600 > entry_cache_group_timeout = 600 > min_id = 1000 > id_provider = ldap > auth_provider = krb5 > chpass_provider = krb5 > ldap_schema = rfc2307bis > ldap_uri = ldap://smbad.intra.example.com:390/ > ldap_search_base = dc=intra,dc=example,dc=com > cache_credentials = true > krb5_server = smbad.intra.example.com:8880 > krb5_realm= INTRA.EXAMPLE.COM > > ldap_default_bind_dn = cn=admin,dc=intra,dc=example,dc=com > > ldap_default_authtok_type = password > ldap_default_authtok = 6pNEn7Eo3zmz9MxciGLx > > 4. I have also tried to achieve above thing using command line tool > "pdbedit" but without any luck. Here is the link < > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbeditthing > which I have followed. > > Please share your thoughts in order to help me and move forward to solve > this problem. > > Thanks very much and regards, > Ashishkumar S. YadavHi, you may have more chance of getting this resolved if you take it to the sssd mailing list, by your own admission, samba4 is working, so it is probably an sssd problem, sssd is not part of samba. Rowland
Seemingly Similar Threads
- Password Must Change using SSSD in Samba 4.1.10
- SSSD on CentOS 7 failing to start when connecting to 4.8.3 AD via LDAP
- looking for sssd basics and simple config with existing ldap centos 6.3
- [sssd] Not seeing Secondary Groups
- sssd getent problem with Samba 4.0