Mark Foley
2016-Jan-08 17:10 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
I have successfully joined my Linux/Ubuntu workstation to the Samaba AD/DC domain thanks to help from Rowland Penny. Now I face an interesting problem ... Domain users cannot change their password. Domain users can successfully login to the Linux workstation using their domain credentials, but when the user tries to change the password using "Passwords and Keys" from the desktop utility, it does nothing. Trying to change the password from a terminal session using `passwd` gives the prompt: "Current Kerberos password:" but entering the current domain password is not accepted and the prompt repeats. If the Domain Administrator set the user's account to "User must change password at next login", or if the domain policy expires passwords after so-many days, the user cannot log into the Linux workstations -- the display manager login dialog spins for several minutes, then shows, "Invalid password, please try again." This is serious. How does a domain user change his own password? HELP! --Mark
Mark Foley
2016-Jan-14 05:54 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
Hmmm, this message is a week old and nothing? I know many of you have domain member hosts in your domain and surely are logging in as domain users authenticating with the Samba4 AD/DC, right? How do you change your password without having the domain Administrator do it for you? --Mark -----Original Message----- From: Mark Foley <mfoley at ohprs.org> Date: Fri, 08 Jan 2016 12:10:16 -0500 To: samba at lists.samba.org Subject: [Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password I have successfully joined my Linux/Ubuntu workstation to the Samaba AD/DC domain thanks to help from Rowland Penny. Now I face an interesting problem ... Domain users cannot change their password. Domain users can successfully login to the Linux workstation using their domain credentials, but when the user tries to change the password using "Passwords and Keys" from the desktop utility, it does nothing. Trying to change the password from a terminal session using `passwd` gives the prompt: "Current Kerberos password:" but entering the current domain password is not accepted and the prompt repeats. If the Domain Administrator set the user's account to "User must change password at next login", or if the domain policy expires passwords after so-many days, the user cannot log into the Linux workstations -- the display manager login dialog spins for several minutes, then shows, "Invalid password, please try again." This is serious. How does a domain user change his own password? HELP! --Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Viktor Trojanovic
2016-Jan-14 09:20 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
I haven't had this use-case myself yet as I only connected Win clients so far but I remember reading here on the list that this functionality is not built-in for Unix, you either need to script it yourself or resort to third party tools. I think there are some FLOSS tools around that allow the user to change their password via an internally hosted web page. Search the list (and web) using those keywords, you should find enough results. Viktor> On 14 Jan 2016, at 06:54, Mark Foley <mfoley at ohprs.org> wrote: > > Hmmm, this message is a week old and nothing? > > I know many of you have domain member hosts in your domain and surely are logging in as domain > users authenticating with the Samba4 AD/DC, right? > > How do you change your password without having the domain Administrator do it for you? > > --Mark > > -----Original Message----- > From: Mark Foley <mfoley at ohprs.org> > Date: Fri, 08 Jan 2016 12:10:16 -0500 > To: samba at lists.samba.org > Subject: [Samba] Samba AD/DC, Single-Sign-On, > domain users cannot change password > > I have successfully joined my Linux/Ubuntu workstation to the Samaba AD/DC domain thanks to > help from Rowland Penny. > > Now I face an interesting problem ... Domain users cannot change their password. > > Domain users can successfully login to the Linux workstation using their domain credentials, > but when the user tries to change the password using "Passwords and Keys" from the desktop > utility, it does nothing. > > Trying to change the password from a terminal session using `passwd` gives the prompt: "Current > Kerberos password:" but entering the current domain password is not accepted and the prompt repeats. > > If the Domain Administrator set the user's account to "User must change password at next > login", or if the domain policy expires passwords after so-many days, the user cannot log into > the Linux workstations -- the display manager login dialog spins for several minutes, then > shows, "Invalid password, please try again." > > This is serious. How does a domain user change his own password? > > HELP! > > --Mark > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2016-Jan-14 09:36 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
On 14/01/16 05:54, Mark Foley wrote:> Hmmm, this message is a week old and nothing? > > I know many of you have domain member hosts in your domain and surely are logging in as domain > users authenticating with the Samba4 AD/DC, right? > > How do you change your password without having the domain Administrator do it for you? > > --Mark > > -----Original Message----- > From: Mark Foley <mfoley at ohprs.org> > Date: Fri, 08 Jan 2016 12:10:16 -0500 > To: samba at lists.samba.org > Subject: [Samba] Samba AD/DC, Single-Sign-On, > domain users cannot change password > > I have successfully joined my Linux/Ubuntu workstation to the Samaba AD/DC domain thanks to > help from Rowland Penny. > > Now I face an interesting problem ... Domain users cannot change their password. > > Domain users can successfully login to the Linux workstation using their domain credentials, > but when the user tries to change the password using "Passwords and Keys" from the desktop > utility, it does nothing. > > Trying to change the password from a terminal session using `passwd` gives the prompt: "Current > Kerberos password:" but entering the current domain password is not accepted and the prompt repeats. > > If the Domain Administrator set the user's account to "User must change password at next > login", or if the domain policy expires passwords after so-many days, the user cannot log into > the Linux workstations -- the display manager login dialog spins for several minutes, then > shows, "Invalid password, please try again." > > This is serious. How does a domain user change his own password? > > HELP! > > --Mark >Using 'passwd' does work, but pam has to be setup correctly and you cannot change the password on the first day unless you change the minimum password age to '0' Changing the password at login has nothing to do with Samba (provided you can change it from the CLI, see above), it is down to your login manager. Rowland
Sketch
2016-Jan-14 14:14 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
On Thu, 14 Jan 2016, Mark Foley wrote:> Hmmm, this message is a week old and nothing? > > I know many of you have domain member hosts in your domain and surely are logging in as domain > users authenticating with the Samba4 AD/DC, right? > > How do you change your password without having the domain Administrator do it for you?> Trying to change the password from a terminal session using `passwd` > gives the prompt: "Current Kerberos password:" but entering the current > domain password is not accepted and the prompt repeats.I type "passwd" in a shell, and it works as it should. One thing I note is that it only asks me for my kerberos password if i fail to enter my password correctly. Current Password: Password change failed. Server message: Old password not accepted. Kerberos 5 Password: Rowland's suggestion that your PAM configuration is incorrect seems like a good possibility here.> Domain users can successfully login to the Linux workstation using their domain credentials, > but when the user tries to change the password using "Passwords and Keys" from the desktop > utility, it does nothing.I don't run Ubuntu, but I did take a look at GNOME's "Passwords and Keys" as exist in gnome 3.14 in centos 7, and I don't see any way to change the user's system password from it. I do see "login" under "Passwords", but it only seems to change the password used to unlock the keyring itself (which is normally the user's login password), not the user's actual login password. I don't think this is the right place to change the login password.
Guilherme Boing
2016-Jan-19 09:56 UTC
[Samba] Samba AD/DC, Single-Sign-On, domain users cannot change password
I remember that I was never able to change the AD password, but I made passwd work.. kind of. When I used passwd, the password would change on "unixPassword" attribute, however it would still be possible to use the AD password (and AD password wouldn't change at all). So, in the end, I had two different passwords that would authenticate: unixPassword (that didn't exist until I used passwd) and the AD password (that I was never able to change using passwd). On Fri, Jan 8, 2016 at 3:10 PM, Mark Foley <mfoley at ohprs.org> wrote:> I have successfully joined my Linux/Ubuntu workstation to the Samaba AD/DC > domain thanks to > help from Rowland Penny. > > Now I face an interesting problem ... Domain users cannot change their > password. > > Domain users can successfully login to the Linux workstation using their > domain credentials, > but when the user tries to change the password using "Passwords and Keys" > from the desktop > utility, it does nothing. > > Trying to change the password from a terminal session using `passwd` gives > the prompt: "Current > Kerberos password:" but entering the current domain password is not > accepted and the prompt repeats. > > If the Domain Administrator set the user's account to "User must change > password at next > login", or if the domain policy expires passwords after so-many days, the > user cannot log into > the Linux workstations -- the display manager login dialog spins for > several minutes, then > shows, "Invalid password, please try again." > > This is serious. How does a domain user change his own password? > > HELP! > > --Mark > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Apparently Analagous Threads
- Samba AD/DC, Single-Sign-On, domain users cannot change password
- Samba AD/DC, Single-Sign-On, domain users cannot change password
- Samba AD/DC, Single-Sign-On, domain users cannot change password
- Samba AD/DC, Single-Sign-On, domain users cannot change password
- Samba AD PDC , LDAP and Single-Sign-On