samba - May 2016 - Change Password after expired

I dont know LTB or what it exact is, but

Add in /etc/ldap/ldap.conf 
TLS_REQCERT allow

Setup your own "rootCA" like this.
( if not done, apt-get install ca-certificates ) 

mkdir -p /usr/local/share/ca-certificates/chrono
mv /etc/ssl/ca_chrono-dom.lan.pem /usr/local/share/ca-certificates/chrono
update-ca-certificates

! MUST BE /usr/local/share/ca-certificates else its not picked up with the
update-ca-certificates command.

you should see: 
update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

And correct this back : 
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

Now after done above your CA Cert is hashed in /etc/ssl/certs
And its added in /etc/ssl/certs/ca-certificates.crt

Do this and try again and let us know the result.

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Charles-Henri
> Falconnet
> Verzonden: woensdag 11 mei 2016 10:03
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Change Password after expired
> 
> Hi list,
> 
> Same wish here!
> I'd like my users to change their password using LTB (great tool) but
> since 4.2.10 (debian jessie) I lost the connection to samba4.
> I tried using TLS and port 636 in LTB's config.inc.php with a dedicated
> user and put the self signed AC from private/tls but it didn't work.
> Before the upgrade, i was on samba 4.1.17 (debian jessie) and simple
> bind on port 389 for LTB and it worked great.
> I read https://www.samba.org/samba/history/samba-4.2.10.html and the apt
> listchanges of Andrew Bartlett
> 
> I'm stuck since the upgrade. I tried to change the new parameters to
> downgrade security but it didn't work (and i don't want less
security).
> The active directory works, users can authenticate and access a separate
> member files server.
> 
> My smb.conf
> 
> [global]
>          workgroup = CHRONO-DOM
>          realm = CHRONO-DOM.LAN
>          netbios name = DMZ-PVE-SRV9
>          server role = active directory domain controller
>          dns forwarder = xxx.xxx.xxx.xxx
>          idmap_ldb:use rfc2307 = yes
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
>          idmap config * : backend = tdb
>          idmap config * : range = 2000-2999
>          idmap config CHRONO-DOM : backend = ad
>          idmap config CHRONO-DOM : range = 10000-29999
>          winbind nss info = rfc2307
>          winbind enum users = yes
>          winbind enum groups = yes
>          acl map full control = yes
>          syslog = 0
>          log level = 7 auth:10 winbind:10
>          tls verify peer = ca_only
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/chrono-dom.lan/scripts
>          read only = No
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> On the LAMP server with LTB Self Service Password and other web apps i
> configure the ldap.conf with
> TLS_CACERT     /etc/ssl/ca_chrono-dom.lan.pem
> TLS_REQCERT    never
> and the read mode bit for other
> 
> With openssl s_client -showcerts -connect dmz-pve-srv9.chrono-dom.lan:636
> or openssl s_client -CAfile <path to the self signed CA> -showcerts
> -connect dmz-pve-srv9.chrono-dom.lan:636
> returns Verify return code: 18 (self signed certificate) but i don't
> think that can be a problem.
> 
> I appreciate some help.
> 
> Charles
> 
> 
> Le 10/05/2016 21:41, Rowland penny a écrit :
> > On 10/05/16 20:11, Carlos A. P. Cunha wrote:
> >> In some customer yes, but they are with LTSP (pxe boot) where
another
> >> use graphical interface, but would rather have a web interface to
> >> change the password.
> >> This tambpem would be used for windows stations off the field.
> >>
> >>
> >>
> >
> > What is wrong with the 'LTB Self Service Password' program ??
> >
> > Did you configure 'config.inc.php' correctly ?
> >
> >
> > Rowland
> >
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

It works now for all my web apps !
If you have a AC.pem, juste rename in AC.crt (update-ca-certificates 
recognizes only crt files, man update-ca-certificates)
Thank you Louis.

Le 11/05/2016 10:45, L.P.H. van Belle a écrit :
> I dont know LTB or what it exact is, but
>
> Add in /etc/ldap/ldap.conf
> TLS_REQCERT allow
>
> Setup your own "rootCA" like this.
> ( if not done, apt-get install ca-certificates )
>
> mkdir -p /usr/local/share/ca-certificates/chrono
> mv /etc/ssl/ca_chrono-dom.lan.pem /usr/local/share/ca-certificates/chrono
> update-ca-certificates
>
> ! MUST BE /usr/local/share/ca-certificates else its not picked up with the
> update-ca-certificates command.
>
> you should see:
> update-ca-certificates
> Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
> Running hooks in /etc/ca-certificates/update.d....done.
>
> And correct this back :
> TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
>
> Now after done above your CA Cert is hashed in /etc/ssl/certs
> And its added in /etc/ssl/certs/ca-certificates.crt
>
> Do this and try again and let us know the result.
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Charles-Henri
>> Falconnet
>> Verzonden: woensdag 11 mei 2016 10:03
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Change Password after expired
>>
>> Hi list,
>>
>> Same wish here!
>> I'd like my users to change their password using LTB (great tool)
but
>> since 4.2.10 (debian jessie) I lost the connection to samba4.
>> I tried using TLS and port 636 in LTB's config.inc.php with a
dedicated
>> user and put the self signed AC from private/tls but it didn't
work.
>> Before the upgrade, i was on samba 4.1.17 (debian jessie) and simple
>> bind on port 389 for LTB and it worked great.
>> I read https://www.samba.org/samba/history/samba-4.2.10.html and the
apt
>> listchanges of Andrew Bartlett
>>
>> I'm stuck since the upgrade. I tried to change the new parameters
to
>> downgrade security but it didn't work (and i don't want less
security).
>> The active directory works, users can authenticate and access a
separate
>> member files server.
>>
>> My smb.conf
>>
>> [global]
>>           workgroup = CHRONO-DOM
>>           realm = CHRONO-DOM.LAN
>>           netbios name = DMZ-PVE-SRV9
>>           server role = active directory domain controller
>>           dns forwarder = xxx.xxx.xxx.xxx
>>           idmap_ldb:use rfc2307 = yes
>>           load printers = no
>>           printing = bsd
>>           printcap name = /dev/null
>>           disable spoolss = yes
>>           idmap config * : backend = tdb
>>           idmap config * : range = 2000-2999
>>           idmap config CHRONO-DOM : backend = ad
>>           idmap config CHRONO-DOM : range = 10000-29999
>>           winbind nss info = rfc2307
>>           winbind enum users = yes
>>           winbind enum groups = yes
>>           acl map full control = yes
>>           syslog = 0
>>           log level = 7 auth:10 winbind:10
>>           tls verify peer = ca_only
>>
>> [netlogon]
>>           path = /var/lib/samba/sysvol/chrono-dom.lan/scripts
>>           read only = No
>>
>> [sysvol]
>>           path = /var/lib/samba/sysvol
>>           read only = No
>>
>> On the LAMP server with LTB Self Service Password and other web apps i
>> configure the ldap.conf with
>> TLS_CACERT     /etc/ssl/ca_chrono-dom.lan.pem
>> TLS_REQCERT    never
>> and the read mode bit for other
>>
>> With openssl s_client -showcerts -connect
dmz-pve-srv9.chrono-dom.lan:636
>> or openssl s_client -CAfile <path to the self signed CA>
-showcerts
>> -connect dmz-pve-srv9.chrono-dom.lan:636
>> returns Verify return code: 18 (self signed certificate) but i
don't
>> think that can be a problem.
>>
>> I appreciate some help.
>>
>> Charles
>>
>>
>> Le 10/05/2016 21:41, Rowland penny a écrit :
>>> On 10/05/16 20:11, Carlos A. P. Cunha wrote:
>>>> In some customer yes, but they are with LTSP (pxe boot) where
another
>>>> use graphical interface, but would rather have a web interface
to
>>>> change the password.
>>>> This tambpem would be used for windows stations off the field.
>>>>
>>>>
>>>>
>>> What is wrong with the 'LTB Self Service Password' program
??
>>>
>>> Did you configure 'config.inc.php' correctly ?
>>>
>>>
>>> Rowland
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

Hello!
You can now change the password for the User when even this expired 
password or "next logon"?
PS: With the active account, was already working the password change.
Hug.


Em 11-05-2016 07:17, Charles-Henri Falconnet escreveu:
> It works now for all my web apps !
> If you have a AC.pem, juste rename in AC.crt (update-ca-certificates 
> recognizes only crt files, man update-ca-certificates)
> Thank you Louis.
>
> Le 11/05/2016 10:45, L.P.H. van Belle a écrit :
>> I dont know LTB or what it exact is, but
>>
>> Add in /etc/ldap/ldap.conf
>> TLS_REQCERT allow
>>
>> Setup your own "rootCA" like this.
>> ( if not done, apt-get install ca-certificates )
>>
>> mkdir -p /usr/local/share/ca-certificates/chrono
>> mv /etc/ssl/ca_chrono-dom.lan.pem 
>> /usr/local/share/ca-certificates/chrono
>> update-ca-certificates
>>
>> ! MUST BE /usr/local/share/ca-certificates else its not picked up 
>> with the
>> update-ca-certificates command.
>>
>> you should see:
>> update-ca-certificates
>> Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
>> Running hooks in /etc/ca-certificates/update.d....done.
>>
>> And correct this back :
>> TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
>>
>> Now after done above your CA Cert is hashed in /etc/ssl/certs
>> And its added in /etc/ssl/certs/ca-certificates.crt
>>
>> Do this and try again and let us know the result.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Charles-Henri
>>> Falconnet
>>> Verzonden: woensdag 11 mei 2016 10:03
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Change Password after expired
>>>
>>> Hi list,
>>>
>>> Same wish here!
>>> I'd like my users to change their password using LTB (great
tool) but
>>> since 4.2.10 (debian jessie) I lost the connection to samba4.
>>> I tried using TLS and port 636 in LTB's config.inc.php with a
dedicated
>>> user and put the self signed AC from private/tls but it didn't
work.
>>> Before the upgrade, i was on samba 4.1.17 (debian jessie) and
simple
>>> bind on port 389 for LTB and it worked great.
>>> I read https://www.samba.org/samba/history/samba-4.2.10.html and
the
>>> apt
>>> listchanges of Andrew Bartlett
>>>
>>> I'm stuck since the upgrade. I tried to change the new
parameters to
>>> downgrade security but it didn't work (and i don't want
less security).
>>> The active directory works, users can authenticate and access a 
>>> separate
>>> member files server.
>>>
>>> My smb.conf
>>>
>>> [global]
>>>           workgroup = CHRONO-DOM
>>>           realm = CHRONO-DOM.LAN
>>>           netbios name = DMZ-PVE-SRV9
>>>           server role = active directory domain controller
>>>           dns forwarder = xxx.xxx.xxx.xxx
>>>           idmap_ldb:use rfc2307 = yes
>>>           load printers = no
>>>           printing = bsd
>>>           printcap name = /dev/null
>>>           disable spoolss = yes
>>>           idmap config * : backend = tdb
>>>           idmap config * : range = 2000-2999
>>>           idmap config CHRONO-DOM : backend = ad
>>>           idmap config CHRONO-DOM : range = 10000-29999
>>>           winbind nss info = rfc2307
>>>           winbind enum users = yes
>>>           winbind enum groups = yes
>>>           acl map full control = yes
>>>           syslog = 0
>>>           log level = 7 auth:10 winbind:10
>>>           tls verify peer = ca_only
>>>
>>> [netlogon]
>>>           path = /var/lib/samba/sysvol/chrono-dom.lan/scripts
>>>           read only = No
>>>
>>> [sysvol]
>>>           path = /var/lib/samba/sysvol
>>>           read only = No
>>>
>>> On the LAMP server with LTB Self Service Password and other web
apps i
>>> configure the ldap.conf with
>>> TLS_CACERT     /etc/ssl/ca_chrono-dom.lan.pem
>>> TLS_REQCERT    never
>>> and the read mode bit for other
>>>
>>> With openssl s_client -showcerts -connect 
>>> dmz-pve-srv9.chrono-dom.lan:636
>>> or openssl s_client -CAfile <path to the self signed CA>
-showcerts
>>> -connect dmz-pve-srv9.chrono-dom.lan:636
>>> returns Verify return code: 18 (self signed certificate) but i
don't
>>> think that can be a problem.
>>>
>>> I appreciate some help.
>>>
>>> Charles
>>>
>>>
>>> Le 10/05/2016 21:41, Rowland penny a écrit :
>>>> On 10/05/16 20:11, Carlos A. P. Cunha wrote:
>>>>> In some customer yes, but they are with LTSP (pxe boot)
where another
>>>>> use graphical interface, but would rather have a web
interface to
>>>>> change the password.
>>>>> This tambpem would be used for windows stations off the
field.
>>>>>
>>>>>
>>>>>
>>>> What is wrong with the 'LTB Self Service Password'
program ??
>>>>
>>>> Did you configure 'config.inc.php' correctly ?
>>>>
>>>>
>>>> Rowland
>>>>
>>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>