Ken McDonald
2018-Jan-29 12:49 UTC
[Samba] Changing expired Samba AD password during Windows login
Ok, so I tried all the suggestions without success. Unless I hear back from someone saying it is NOT possible for a user to change an expired password during login from a Domain account on a Samba 4.7.4 AD domain (only 1 DC, and I also tried latest dev release), then I will proceed with more in-depth troubleshooting, log file debugging, and mock-up VM's in order to determine what is happening. Effectively for me, Samba AD is unusable unless users can change an expired password during login like they can when running on a pure Windows Server AD domain. Thanks for everyone (anyone?) and their assistance!
Kacper Wirski
2018-Jan-29 18:52 UTC
[Samba] Changing expired Samba AD password during Windows login
I can only share my experience: domain with only samba DC's (started from samba 4.4 updated to 4.7 in the meantime), windows clients (vista, 7, 8.1 and 10) no problem whatsoever, passwords are changed every X days, and users have no problem with the procedure (prompt "your password has expired" -> user enters new password -> "you password was changed" -> OK) and that's it. Only samba-tool was used to enforce password policy, I didn't need to set anything in GPO in order to make it work. Only thing that is coming to my mind is maybe an issue with kerberos? I know for a fact, that windows since august 2016 requires kerberos to change expired password. Other than this I'm sorry. W dniu 29.01.2018 o 13:49, Ken McDonald via samba pisze:> Ok, so I tried all the suggestions without success. > > Unless I hear back from someone saying it is NOT possible for a user > to change an expired password during login from a Domain account on a > Samba 4.7.4 AD domain (only 1 DC, and I also tried latest dev > release), then I will proceed with more in-depth troubleshooting, log > file debugging, and mock-up VM's in order to determine what is happening. > > Effectively for me, Samba AD is unusable unless users can change an > expired password during login like they can when running on a pure > Windows Server AD domain. > > Thanks for everyone (anyone?) and their assistance! >
Ken McDonald
2018-Jan-31 17:23 UTC
[Samba] Changing expired Samba AD password during Windows login
I went back and re-installed on a clean VM of Ubuntu Server 16.04.3 and built Samba 4.7.4 with default configuration and it works just fine to change expired passwords at login. I should have tested this default configuration a while back. I was trying to use MIT Kerberos instead of Hemidal and had followed all the directions on this link: https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC In order to make all the builds work for MIT Kerberos and Samba 4.7.4 on Ubuntu Server 16.04.3, I had to install a lot of other related dependencies and customize install paths, etc. There must be something incorrect with my config that is causing the expired password problem. As I understand it, using MIT Kerberos instead of Heimdal is the preferred way of implementing a Samba AD to ensure the widest level of compatibility with the overall Windows Server ecosphere? Yes? On 01/29/2018 01:52 PM, Kacper Wirski via samba wrote:> I can only share my experience: > > domain with only samba DC's (started from samba 4.4 updated to 4.7 in > the meantime), windows clients (vista, 7, 8.1 and 10) no problem > whatsoever, passwords are changed every X days, and users have no > problem with the procedure (prompt "your password has expired" -> user > enters new password -> "you password was changed" -> OK) and that's it. > > Only samba-tool was used to enforce password policy, I didn't need to > set anything in GPO in order to make it work. > > Only thing that is coming to my mind is maybe an issue with kerberos? > I know for a fact, that windows since august 2016 requires kerberos to > change expired password. Other than this I'm sorry. > > > W dniu 29.01.2018 o 13:49, Ken McDonald via samba pisze: >> Ok, so I tried all the suggestions without success. >> >> Unless I hear back from someone saying it is NOT possible for a user >> to change an expired password during login from a Domain account on a >> Samba 4.7.4 AD domain (only 1 DC, and I also tried latest dev >> release), then I will proceed with more in-depth troubleshooting, log >> file debugging, and mock-up VM's in order to determine what is >> happening. >> >> Effectively for me, Samba AD is unusable unless users can change an >> expired password during login like they can when running on a pure >> Windows Server AD domain. >> >> Thanks for everyone (anyone?) and their assistance! >> > >