Karel Lang AFD
2018-Sep-12 15:16 UTC
[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
Hello, if anybody would kindly have anything to advice, please, please - do :-) SETUP: Fedora 28 + Samba 4.8.5 AD (testing environment consisting of 1 Samba server and 1 joined windows machine and 1 account) :-) PROBLEM: the "--must-change-at-next-login" is the problematic part after creating user, with this attribute the user is authenticated OK during FIRST Logon BUT!! when challenged to CHANGE password (as expected) he/she can not change the pw as the DOMAIN stubbornly, repeatedly says: password is EXPIRED Replication of problem: - install Fedora 28 - install Samba: yum install samba samba-dc samba-krb5-printing samba-pidl samba-test samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob oddjob-mkhomedir adcli - DNS setting, IP address setting, turn off firewalld, turn off NetworkManager, tunr off SELinux - provision of SAmba: samba-tool domain provision --use-rfc2307 --interactive - start samba and add group and user: systemctl start samba.service samba-tool group add --nis-domain=aufeerdesign --gid-number 1903 it samba-tool user create long --nis-domain=aufeerdesign --login-shell=/bin/bash --unix-home=/home/long --gid-number=1903 --uid-number=8888 --must-change-at-next-login I see in logs: %m.log [2018/09/12 16:30:26.284142, 1] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/krb5kdc: sam_account_ok: Account for user 'long at AUFEERDESIGN' password must change!. mit_kdc.log Sep 12 16:31:14 ad01 krb5kdc[3180](info): AS_REQ (6 etypes {18 17 23 24 -135 3}) 192.168.181.181: UNKNOWN_REASON: long at AUFEERDESIGN for kadmin/changepw at AUFEERDESIGN, Password has expired Sep 12 16:31:14 ad01 krb5kdc[3180](info): closing down fd 19 Thank You -- *Karel Lang* *Unix/Linux Administration* lang at afd.cz | +420 731 13 40 40 AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
Rowland Penny
2018-Sep-12 15:57 UTC
[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
On Wed, 12 Sep 2018 17:16:39 +0200 Karel Lang AFD via samba <samba at lists.samba.org> wrote:> Hello, > if anybody would kindly have anything to advice, please, please - > do :-) > > > SETUP: > Fedora 28 + Samba 4.8.5 AD (testing environment consisting of 1 > Samba server and 1 joined windows machine and 1 account) :-) > > PROBLEM: > the "--must-change-at-next-login" is the problematic part > > after creating user, with this attribute the user is authenticated OK > during FIRST Logon BUT!! when challenged to CHANGE password (as > expected) he/she can not change the pw as the DOMAIN stubbornly, > repeatedly says: password is EXPIRED > > > Replication of problem: > - install Fedora 28 > - install Samba: > yum install samba samba-dc samba-krb5-printing samba-pidl samba-test > samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob > oddjob-mkhomedir adcli > > - DNS setting, IP address setting, turn off firewalld, turn off > NetworkManager, tunr off SELinux > > - provision of SAmba: > samba-tool domain provision --use-rfc2307 --interactive > > - start samba and add group and user: > systemctl start samba.service >This would be using MIT for the KDC, is this correct ? If it is, then running A DC on red-hat using the OS packages (i.e. with MIT) is still considered experimental, there are still bits that do not work, as you seem to have found out. By all means use red-hat Samba packages for Unix domain members, or for testing a DC, just don't use them for a DC in production. Sorry ;-) Rowland
Andrew Bartlett
2018-Sep-12 16:13 UTC
[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
On Wed, 2018-09-12 at 17:16 +0200, Karel Lang AFD via samba wrote:> Hello, > if anybody would kindly have anything to advice, please, please - do > :-) > > > SETUP: > Fedora 28 + Samba 4.8.5 AD (testing environment consisting of 1 > Samba > server and 1 joined windows machine and 1 account) :-) > > PROBLEM: > the "--must-change-at-next-login" is the problematic part > > after creating user, with this attribute the user is authenticated > OK > during FIRST Logon BUT!! when challenged to CHANGE password (as > expected) he/she can not change the pw as the DOMAIN stubbornly, > repeatedly says: password is EXPIRED >This looks like: https://bugzilla.samba.org/show_bug.cgi?id=13517 To confirm that, can you rebuild the RPMs to use the internal Heimdal and see if it still reproduces? I've CC'ed Andreas who leads the effort to have Samba use the MIT KDC in case he has any more input. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Karel Lang AFD
2018-Sep-12 17:06 UTC
[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
Hi Rowland, Thanks for the informations. Yes, the Fedora Samba 4 package is built with MIT kerberos. I know it is still 'fresh' so that is what i do - run tests :-). Actually this thing with password expiration, is only thing i found so far, otherwise, it 'behaved' surprisingly well. Thanks again! Karel -- *Karel Lang* *Unix/Linux Administration* lang at afd.cz | +420 731 13 40 40 AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz On 09/12/2018 05:57 PM, Rowland Penny via samba wrote:> On Wed, 12 Sep 2018 17:16:39 +0200 > Karel Lang AFD via samba <samba at lists.samba.org> wrote: > >> Hello, >> if anybody would kindly have anything to advice, please, please - >> do :-) >> >> >> SETUP: >> Fedora 28 + Samba 4.8.5 AD (testing environment consisting of 1 >> Samba server and 1 joined windows machine and 1 account) :-) >> >> PROBLEM: >> the "--must-change-at-next-login" is the problematic part >> >> after creating user, with this attribute the user is authenticated OK >> during FIRST Logon BUT!! when challenged to CHANGE password (as >> expected) he/she can not change the pw as the DOMAIN stubbornly, >> repeatedly says: password is EXPIRED >> >> >> Replication of problem: >> - install Fedora 28 >> - install Samba: >> yum install samba samba-dc samba-krb5-printing samba-pidl samba-test >> samba-winbind-clients samba-winbind-krb5-locator realmd sssd oddjob >> oddjob-mkhomedir adcli >> >> - DNS setting, IP address setting, turn off firewalld, turn off >> NetworkManager, tunr off SELinux >> >> - provision of SAmba: >> samba-tool domain provision --use-rfc2307 --interactive >> >> - start samba and add group and user: >> systemctl start samba.service >> > > This would be using MIT for the KDC, is this correct ? > If it is, then running A DC on red-hat using the OS packages (i.e. with > MIT) is still considered experimental, there are still bits that do > not work, as you seem to have found out. > > By all means use red-hat Samba packages for Unix domain members, or for > testing a DC, just don't use them for a DC in production. > > Sorry ;-) > > Rowland >
Karel Lang AFD
2018-Sep-12 17:18 UTC
[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
Hello Andrew, thanks for the kind information :-) Yes, the bug seams to be it, or at least something very similar. I tried to 'play' with domain password policies - expiration dates and such and i think: 1. the behaviour of expired password, where user can not change it - it is the expected behaviour on windows domain - please correct me if i am wrong? 2. i observed that the "--must-change-at-next-login" set somewhere the same attribute (expired password), just like when the password really expired - this is (i think not expected?) there should be different bit set for this parameter? Because if it is expired == not possible to change it, right? But i'm no dev, so .. my 2c :-) Anyway, i'll try to rebuild it with the H. kerberos as you suggested and see. -- *Karel Lang* *Unix/Linux Administration* lang at afd.cz | +420 731 13 40 40 AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz On 09/12/2018 06:13 PM, Andrew Bartlett via samba wrote:> On Wed, 2018-09-12 at 17:16 +0200, Karel Lang AFD via samba wrote: >> Hello, >> if anybody would kindly have anything to advice, please, please - do >> :-) >> >> >> SETUP: >> Fedora 28 + Samba 4.8.5 AD (testing environment consisting of 1 >> Samba >> server and 1 joined windows machine and 1 account) :-) >> >> PROBLEM: >> the "--must-change-at-next-login" is the problematic part >> >> after creating user, with this attribute the user is authenticated >> OK >> during FIRST Logon BUT!! when challenged to CHANGE password (as >> expected) he/she can not change the pw as the DOMAIN stubbornly, >> repeatedly says: password is EXPIRED >> > > This looks like: > > https://bugzilla.samba.org/show_bug.cgi?id=13517 > > To confirm that, can you rebuild the RPMs to use the internal Heimdal > and see if it still reproduces? > > I've CC'ed Andreas who leads the effort to have Samba use the MIT KDC > in case he has any more input. > > Thanks, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > >
Andreas Schneider
2018-Sep-17 05:57 UTC
[Samba] FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
On Wednesday, 12 September 2018 18:13:16 CEST Andrew Bartlett wrote:> On Wed, 2018-09-12 at 17:16 +0200, Karel Lang AFD via samba wrote: > > Hello, > > if anybody would kindly have anything to advice, please, please - do > > > > :-) > > > > SETUP: > > Fedora 28 + Samba 4.8.5 AD (testing environment consisting of 1 > > Samba > > server and 1 joined windows machine and 1 account) :-) > > > > PROBLEM: > > the "--must-change-at-next-login" is the problematic part > > > > after creating user, with this attribute the user is authenticated > > OK > > during FIRST Logon BUT!! when challenged to CHANGE password (as > > expected) he/she can not change the pw as the DOMAIN stubbornly, > > repeatedly says: password is EXPIREDCan you please describe the exact steps how this can be reproduced? You create a new user and then run samba-tool with --must-change-at-next-login on that user? Please be as precise as possible. Thanks! -- Andreas Schneider asn at samba.org Samba Team www.samba.org GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
Apparently Analagous Threads
- FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
- FEDORA 28 + SAMBA 4.8.5 --must-change-at-next-login don't work
- sssd config doesn't ask for password
- cifs.ko kernel module versus smb.conf - which SMB protocol version?
- sssd config doesn't ask for password