samba - May 2019 - Samba4 changing a user's password from linux workstation

I've gotten pretty unhappy with "realmd" and "sssd".
They try to hide
>> a lot of steps away from the user, but the internal interactions are a
>> bit of a "mousetrap" game. When it works, you get the mouse.
But if
>> any of the many steps are even slightly worn, it becomes erratic or
>> fails.
>>
>
>
>
Update: In fact i succeeded in reseting user password from a linux 
workstation with kpasswd through pam_sssd.
At the beginning I thought we were prompted directly for new password, 
but we had to first type in the old one before choosing a new one.

On 14/05/2019 12:58, Julien TEHERY via samba wrote:
> I've gotten pretty unhappy with "realmd" and
"sssd". They try to hide
>>> a lot of steps away from the user, but the internal interactions
are a
>>> bit of a "mousetrap" game. When it works, you get the
mouse. But if
>>> any of the many steps are even slightly worn, it becomes erratic or
>>> fails.
>>>
>>
>>
>>
> Update: In fact i succeeded in reseting user password from a linux 
> workstation with kpasswd through pam_sssd.
> At the beginning I thought we were prompted directly for new password, 
> but we had to first type in the old one before choosing a new one.
>
kpasswd has nothing to do with sssd, it prompts for the old password, 
then the new password (twice), it then changes the users password.

smbpasswd works in the same way (and it works with AD)

I cannot understand why anybody uses sssd, it is a program that requires 
separate configuration and does very little that winbind (only one 
config file) doesn't. Just what does sssd give you, what do you need it 
for ?

Rowland

Hello Rowland,

We’ve been using SSSD with Acitve Directory for a few years now…  It’s been
solid for us.

Our Linux clients use the AD-Kerberos via SSSD for secure NFS4 mounts with POSIX
attributes defined in AD (uidNumber, gidNumber, unixHomeDirectory, loginShell).

Before putting into production, I tested using Winbind and could not get it to
do what I wanted.   If I remember correctly, I had problems with groups.   I
didn’t want DOMAIN\groupname…  just groupname to show.   I don’t remember why
this was causing me problems… just that this was the main reason.

At the time, I found that the documentation for integrating AD with Linux was
best documented… in particular at RedHat:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/summary-direct
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/summary-direct>

They give further reasons for choosing SSSD over Winbind in that document.

Cheers, Luc.
> On May 14, 2019, at 8:13 AM, Rowland penny via samba <samba at
lists.samba.org> wrote:
> 
> On 14/05/2019 12:58, Julien TEHERY via samba wrote:
>> I've gotten pretty unhappy with "realmd" and
"sssd". They try to hide
>>>> a lot of steps away from the user, but the internal
interactions are a
>>>> bit of a "mousetrap" game. When it works, you get the
mouse. But if
>>>> any of the many steps are even slightly worn, it becomes
erratic or
>>>> fails.
>>>> 
>>> 
>>> 
>>> 
>> Update: In fact i succeeded in reseting user password from a linux
workstation with kpasswd through pam_sssd.
>> At the beginning I thought we were prompted directly for new password,
but we had to first type in the old one before choosing a new one.
>> 
> kpasswd has nothing to do with sssd, it prompts for the old password, then
the new password (twice), it then changes the users password.
> 
> smbpasswd works in the same way (and it works with AD)
> 
> I cannot understand why anybody uses sssd, it is a program that requires
separate configuration and does very little that winbind (only one config file)
doesn't. Just what does sssd give you, what do you need it for ?
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190514/3cdeffb3/signature.sig>