samba - May 2016 - Change Password after expired

In some customer yes, but they are with LTSP (pxe boot) where another 
use graphical interface, but would rather have a web interface to change 
the password.
This tambpem would be used for windows stations off the field.


Em 10-05-2016 16:05, Rowland penny escreveu:
> Not even on the clients ??

On 10/05/16 20:11, Carlos A. P. Cunha wrote:
> In some customer yes, but they are with LTSP (pxe boot) where another 
> use graphical interface, but would rather have a web interface to 
> change the password.
> This tambpem would be used for windows stations off the field.
>
>
>
What is wrong with the 'LTB Self Service Password' program ??

Did you configure 'config.inc.php' correctly ?


Rowland

Hi list,

Same wish here!
I'd like my users to change their password using LTB (great tool) but 
since 4.2.10 (debian jessie) I lost the connection to samba4.
I tried using TLS and port 636 in LTB's config.inc.php with a dedicated 
user and put the self signed AC from private/tls but it didn't work.
Before the upgrade, i was on samba 4.1.17 (debian jessie) and simple 
bind on port 389 for LTB and it worked great.
I read https://www.samba.org/samba/history/samba-4.2.10.html and the apt 
listchanges of Andrew Bartlett

I'm stuck since the upgrade. I tried to change the new parameters to 
downgrade security but it didn't work (and i don't want less security).
The active directory works, users can authenticate and access a separate 
member files server.

My smb.conf

[global]
         workgroup = CHRONO-DOM
         realm = CHRONO-DOM.LAN
         netbios name = DMZ-PVE-SRV9
         server role = active directory domain controller
         dns forwarder = xxx.xxx.xxx.xxx
         idmap_ldb:use rfc2307 = yes
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes
         idmap config * : backend = tdb
         idmap config * : range = 2000-2999
         idmap config CHRONO-DOM : backend = ad
         idmap config CHRONO-DOM : range = 10000-29999
         winbind nss info = rfc2307
         winbind enum users = yes
         winbind enum groups = yes
         acl map full control = yes
         syslog = 0
         log level = 7 auth:10 winbind:10
         tls verify peer = ca_only

[netlogon]
         path = /var/lib/samba/sysvol/chrono-dom.lan/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

On the LAMP server with LTB Self Service Password and other web apps i 
configure the ldap.conf with
TLS_CACERT     /etc/ssl/ca_chrono-dom.lan.pem
TLS_REQCERT    never
and the read mode bit for other

With openssl s_client -showcerts -connect dmz-pve-srv9.chrono-dom.lan:636
or openssl s_client -CAfile <path to the self signed CA> -showcerts 
-connect dmz-pve-srv9.chrono-dom.lan:636
returns Verify return code: 18 (self signed certificate) but i don't 
think that can be a problem.

I appreciate some help.

Charles


Le 10/05/2016 21:41, Rowland penny a écrit :
> On 10/05/16 20:11, Carlos A. P. Cunha wrote:
>> In some customer yes, but they are with LTSP (pxe boot) where another 
>> use graphical interface, but would rather have a web interface to 
>> change the password.
>> This tambpem would be used for windows stations off the field.
>>
>>
>>
>
> What is wrong with the 'LTB Self Service Password' program ??
>
> Did you configure 'config.inc.php' correctly ?
>
>
> Rowland
>
>

I dont know LTB or what it exact is, but

Add in /etc/ldap/ldap.conf 
TLS_REQCERT allow

Setup your own "rootCA" like this.
( if not done, apt-get install ca-certificates ) 

mkdir -p /usr/local/share/ca-certificates/chrono
mv /etc/ssl/ca_chrono-dom.lan.pem /usr/local/share/ca-certificates/chrono
update-ca-certificates

! MUST BE /usr/local/share/ca-certificates else its not picked up with the
update-ca-certificates command.

you should see: 
update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

And correct this back : 
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Now after done above your CA Cert is hashed in /etc/ssl/certs
And its added in /etc/ssl/certs/ca-certificates.crt

Do this and try again and let us know the result.

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Charles-Henri
> Falconnet
> Verzonden: woensdag 11 mei 2016 10:03
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Change Password after expired
> 
> Hi list,
> 
> Same wish here!
> I'd like my users to change their password using LTB (great tool) but
> since 4.2.10 (debian jessie) I lost the connection to samba4.
> I tried using TLS and port 636 in LTB's config.inc.php with a dedicated
> user and put the self signed AC from private/tls but it didn't work.
> Before the upgrade, i was on samba 4.1.17 (debian jessie) and simple
> bind on port 389 for LTB and it worked great.
> I read https://www.samba.org/samba/history/samba-4.2.10.html and the apt
> listchanges of Andrew Bartlett
> 
> I'm stuck since the upgrade. I tried to change the new parameters to
> downgrade security but it didn't work (and i don't want less
security).
> The active directory works, users can authenticate and access a separate
> member files server.
> 
> My smb.conf
> 
> [global]
>          workgroup = CHRONO-DOM
>          realm = CHRONO-DOM.LAN
>          netbios name = DMZ-PVE-SRV9
>          server role = active directory domain controller
>          dns forwarder = xxx.xxx.xxx.xxx
>          idmap_ldb:use rfc2307 = yes
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
>          idmap config * : backend = tdb
>          idmap config * : range = 2000-2999
>          idmap config CHRONO-DOM : backend = ad
>          idmap config CHRONO-DOM : range = 10000-29999
>          winbind nss info = rfc2307
>          winbind enum users = yes
>          winbind enum groups = yes
>          acl map full control = yes
>          syslog = 0
>          log level = 7 auth:10 winbind:10
>          tls verify peer = ca_only
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/chrono-dom.lan/scripts
>          read only = No
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> On the LAMP server with LTB Self Service Password and other web apps i
> configure the ldap.conf with
> TLS_CACERT     /etc/ssl/ca_chrono-dom.lan.pem
> TLS_REQCERT    never
> and the read mode bit for other
> 
> With openssl s_client -showcerts -connect dmz-pve-srv9.chrono-dom.lan:636
> or openssl s_client -CAfile <path to the self signed CA> -showcerts
> -connect dmz-pve-srv9.chrono-dom.lan:636
> returns Verify return code: 18 (self signed certificate) but i don't
> think that can be a problem.
> 
> I appreciate some help.
> 
> Charles
> 
> 
> Le 10/05/2016 21:41, Rowland penny a écrit :
> > On 10/05/16 20:11, Carlos A. P. Cunha wrote:
> >> In some customer yes, but they are with LTSP (pxe boot) where
another
> >> use graphical interface, but would rather have a web interface to
> >> change the password.
> >> This tambpem would be used for windows stations off the field.
> >>
> >>
> >>
> >
> > What is wrong with the 'LTB Self Service Password' program ??
> >
> > Did you configure 'config.inc.php' correctly ?
> >
> >
> > Rowland
> >
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba