Rowland penny
2021-Jun-06 10:52 UTC
[Samba] Winbind - Login succeeds while password is expired (set with --must-change-at-next-login)
On 06/06/2021 11:20, Kees van Vloten wrote:> > The problem is not on the DC, users do not login there. > There are some member-servers that do need domain-user logins, e.g. > over ssh. > > I have already found out that sssd is not good to maintain the > computer-account password, does not support ntlm and really want the > same tool for id-mapping everywhere. Since that is winbind on the DC > and on the SMB-fileserver, the idea is to use it on other member > servers for NSS as well. > > However due to https://bugzilla.samba.org/show_bug.cgi?id=14622 > pam-winbind is not the right tool for user logins. I tried pam-sss > instead with good results. > > That's the background. > - Would pam-sss + winbind for NSS work on a member-server?Probably, possibly, but you only get authentication, so you might just as well use sssd by itself. If you want shares, then you really need the full Samba stack.> - Does the combination nslcd, pam, ldap provide the users with a > kerberos ticket?It has been sometime since I used nslcd, but I believe so. Of course it would be so much better if that bug was fixed, it is (in my opinion) a security bug, disabled users or users with expired passwords should not be able to login by any method. Rowland