samba - May 2019 - Samba4 changing a user's password from linux workstation

On Tue, May 14, 2019 at 3:42 AM Rowland penny via samba
<samba at lists.samba.org> wrote:
>
> On 14/05/2019 08:30, Julien TEHERY via samba wrote:
> > Yep I allready tried it, it ends with "kpasswd preauthentication
> > failed getting initial ticket"
What does "klist" say? And can you run "kinit" to ensure you
have a
valid ticket? One of my favorite failures is when the time settings
between the local host, and the Samba or AD server, have drifted from
each other. There are a lot of very awkward and inconsistent NTP or
chronyd settings out there, exacerbated when people point NTP to only
one server and that server is inaccessible to one or more hosts.
> > I must precise we use pam_sssd against Samba4/AD to authenticate.
> > Here is my /etc/sssd/sssd.conf:
>
>
> Hmm, I wonder if sssd is getting in the way ? No idea, we do not produce
> sssd, can I suggest asking on the sssd-users mailing list.
>
> Rowland
I've gotten pretty unhappy with "realmd" and "sssd".
They try to hide
a lot of steps away from the user, but the internal interactions are a
bit of a "mousetrap" game. When it works, you get the mouse. But if
any of the many steps are even slightly worn, it becomes erratic or
fails.

Le 14/05/2019 à 10:19, Nico Kadel-Garcia via samba a
écrit :
> On Tue, May 14, 2019 at 3:42 AM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> On 14/05/2019 08:30, Julien TEHERY via samba wrote:
>>> Yep I allready tried it, it ends with "kpasswd
preauthentication
>>> failed getting initial ticket"
> What does "klist" say? And can you run "kinit" to
ensure you have a
> valid ticket? One of my favorite failures is when the time settings
> between the local host, and the Samba or AD server, have drifted from
> each other. There are a lot of very awkward and inconsistent NTP or
> chronyd settings out there, exacerbated when people point NTP to only
> one server and that server is inaccessible to one or more hosts.
>
Allready logged via graphical UI, I had nothing in klist
Running terminal as root, i did:

kinit myuser

and obtained a valid ticket.

About the date time, all is correctly set up. Workstations and AD have 
exactly same date/time
>>> I must precise we use pam_sssd against Samba4/AD to authenticate.
>>> Here is my /etc/sssd/sssd.conf:
>>
>> Hmm, I wonder if sssd is getting in the way ? No idea, we do not
produce
>> sssd, can I suggest asking on the sssd-users mailing list.
>>
>> Rowland
> I've gotten pretty unhappy with "realmd" and
"sssd". They try to hide
> a lot of steps away from the user, but the internal interactions are a
> bit of a "mousetrap" game. When it works, you get the mouse. But
if
> any of the many steps are even slightly worn, it becomes erratic or
> fails.
>

I've gotten pretty unhappy with "realmd" and "sssd".
They try to hide
>> a lot of steps away from the user, but the internal interactions are a
>> bit of a "mousetrap" game. When it works, you get the mouse.
But if
>> any of the many steps are even slightly worn, it becomes erratic or
>> fails.
>>
>
>
>
Update: In fact i succeeded in reseting user password from a linux 
workstation with kpasswd through pam_sssd.
At the beginning I thought we were prompted directly for new password, 
but we had to first type in the old one before choosing a new one.