Hi,
I am trying to implement the *password must change at next logon* in CentOS 6.5 client using sssd 1.11.6 where Samba 4.1.10 is my backend server.
Here are the list of things which I have done,
1. I have setup the CentOS to do the Domain login using sssd service. I can able to login into the CentOS client using Domain user's credentials from display and from SSH also, no problem at all.
2. Next thing which I want to implement is that password must change feature into Samba 4.1.10 server. To do that, I have been using Windows 7 ultimate which is already in Domain and I am using RSAT tools for users and groups where I have a option to check "password must change at next logon" option for particular user. After doing that Windows machine is honoring this and telling user to change the password and allowing user to login after changing the password.
3. As far as the CentOS client is concerned, it was not honoring the password must change and allowing user to login without asking for password change using sssd with current password.
Here is the configuration file of sssd service,
[sssd] config_file_version = 2 services = nss, pam domains = EXAMPLE sbus_timeout = 30
[nss] filter_users = root filter_groups = root reconnection_retries = 3
[pam] reconnection_retries = 3 offline_credentials_expiration = 0
[domain/EXAMPLE] entry_cache_timeout = 600 entry_cache_group_timeout = 600 min_id = 1000 id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_schema = rfc2307bis ldap_uri = ldap://smbad.intra.example.com:390/ ldap_search_base = dc=intra,dc=example,dc=com cache_credentials = true krb5_server = smbad.intra.example.com:8880 krb5_realm= INTRA.EXAMPLE.COM http://intra.example.com/
ldap_default_bind_dn = cn=admin,dc=intra,dc=example,dc=com
ldap_default_authtok_type = password ldap_default_authtok = 6pNEn7Eo3zmz9MxciGLx
4. I have also tried to achieve above thing using command line tool "pdbedit" but without any luck. Here is the link < http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbed...
which I have followed.
Please share your thoughts in order to help me and move forward to solve this problem.
Thanks very much and regards, Ashishkumar S. Yadav
On Wed, Jan 07, 2015 at 03:48:16PM +0530, Ashish Yadav wrote:
Hi,
I am trying to implement the *password must change at next logon* in CentOS 6.5 client using sssd 1.11.6 where Samba 4.1.10 is my backend server.
Here are the list of things which I have done,
- I have setup the CentOS to do the Domain login using sssd service. I can
able to login into the CentOS client using Domain user's credentials from display and from SSH also, no problem at all.
- Next thing which I want to implement is that password must change
feature into Samba 4.1.10 server. To do that, I have been using Windows 7 ultimate which is already in Domain and I am using RSAT tools for users and groups where I have a option to check "password must change at next logon" option for particular user. After doing that Windows machine is honoring this and telling user to change the password and allowing user to login after changing the password.
- As far as the CentOS client is concerned, it was not honoring the
password must change and allowing user to login without asking for password change using sssd with current password.
Here is the configuration file of sssd service,
[sssd] config_file_version = 2 services = nss, pam domains = EXAMPLE sbus_timeout = 30
[nss] filter_users = root filter_groups = root reconnection_retries = 3
[pam] reconnection_retries = 3 offline_credentials_expiration = 0
[domain/EXAMPLE] entry_cache_timeout = 600 entry_cache_group_timeout = 600 min_id = 1000 id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_schema = rfc2307bis ldap_uri = ldap://smbad.intra.example.com:390/ ldap_search_base = dc=intra,dc=example,dc=com cache_credentials = true krb5_server = smbad.intra.example.com:8880 krb5_realm= INTRA.EXAMPLE.COM http://intra.example.com/
ldap_default_bind_dn = cn=admin,dc=intra,dc=example,dc=com
ldap_default_authtok_type = password ldap_default_authtok = 6pNEn7Eo3zmz9MxciGLx
- I have also tried to achieve above thing using command line tool
"pdbedit" but without any luck. Here is the link < http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbed...
which I have followed.
Please share your thoughts in order to help me and move forward to solve this problem.
What happens if you call
kinit sambauser@INTRA.EXAMPLE.COM
on the Linux command line. Are you asekd you for new password here? If not Samba might not return the right error code to indicate that the password is expired. In this case it would be nice if you can send the output of
KRB5_TRACE=/dev/stdout kinit sambauser@INTRA.EXAMPLE.COM
bye, Sumit
Thanks very much and regards, Ashishkumar S. Yadav
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi,
What happens if you call
kinit sambauser@INTRA.EXAMPLE.COM
It asks for password and current password is working for getting kerberos ticket and not asking me to reset the password.
on the Linux command line. Are you asekd you for new password here? If not Samba might not return the right error code to indicate that the password is expired.
I posted this query in samba mailing list also but they told me that if Windows 7 client is working fine then Samba is working fine.
In this case it would be nice if you can send the output of
KRB5_TRACE=/dev/stdout kinit sambauser@INTRA.EXAMPLE.COM
Here is the output of the above command,
# KRB5_TRACE=/dev/stdout kinit test [2507] 1420693228.971649: Getting initial credentials for test@INTRA.EXAMPLE.COM [2507] 1420693228.974468: Sending request (210 bytes) to INTRA.EXAMPLE.COM [2507] 1420693228.976230: Sending initial UDP request to dgram 172.16.0.170:8880 [2507] 1420693228.981059: Received answer from dgram 172.16.0.170:8880 [2507] 1420693228.981167: Response was not from master KDC [2507] 1420693228.981252: Received error from KDC: -1765328359/Additional pre-authentication required [2507] 1420693228.981413: Processing preauth types: 16, 15, 2, 138, 136, 11, 19 [2507] 1420693228.981477: Selected etype info: etype rc4-hmac, salt "INTRA.EXAMPLE.COMtest", params "" [2507] 1420693228.981532: Selected etype info: etype rc4-hmac, salt "INTRA.EXAMPLE.COMtest", params "" Password for test@INTRA.EXAMPLE.COM: [2507] 1420693231.111979: AS key obtained for encrypted timestamp: rc4-hmac/3CC1 [2507] 1420693231.112235: Encrypted timestamp (for 1420693231.112064): plain 301AA011180F32303135303130383035303033315AA105020301B5C0, encrypted F92A0E3BEF336E51C24C4CB9E8EB1ACE49ECA2BE32C9ABD207062898FD593268EEA31CF0185BE2B2B05F3A4A47328E9B1149AFA0 [2507] 1420693231.112272: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success [2507] 1420693231.112292: Produced preauth for next request: 2 [2507] 1420693231.112341: Sending request (286 bytes) to INTRA.EXAMPLE.COM [2507] 1420693231.112611: Sending initial UDP request to dgram 172.16.0.170:8880 [2507] 1420693231.116296: Received answer from dgram 172.16.0.170:8880 [2507] 1420693231.116448: Response was not from master KDC [2507] 1420693231.116573: Processing preauth types: 3 [2507] 1420693231.116586: Received salt "��" via padata type 3 [2507] 1420693231.116597: Produced preauth for next request: (empty) [2507] 1420693231.116616: AS key determined by preauth: rc4-hmac/3CC1 [2507] 1420693231.116694: Decrypted AS reply; session key is: rc4-hmac/4D55 [2507] 1420693231.116724: FAST negotiation: available [2507] 1420693231.116729: Initializing FILE:/tmp/krb5cc_0 with default princ test@INTRA.EXAMPLE.COM [2507] 1420693231.117523: Removing test@INTRA.EXAMPLE.COM -> krbtgt/ INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM from FILE:/tmp/krb5cc_0 [2507] 1420693231.117542: Storing test@INTRA.EXAMPLE.COM -> krbtgt/ INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM in FILE:/tmp/krb5cc_0 [2507] 1420693231.117710: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/ INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM: fast_avail: yes [2507] 1420693231.117903: Removing test@INTRA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt/INTRA.EXAMPLE.COM @INTRA.EXAMPLE.COM@X-CACHECONF: from FILE:/tmp/krb5cc_0 [2507] 1420693231.117920: Storing test@INTRA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt/INTRA.EXAMPLE.COM @INTRA.EXAMPLE.COM@X-CACHECONF: in FILE:/tmp/krb5cc_0
--Regards Ashishkumar S. Yadav
On 08/01/15 05:09, Ashish Yadav wrote:
Hi,
What happens if you call kinit sambauser@INTRA.EXAMPLE.COM <mailto:sambauser@INTRA.EXAMPLE.COM>It asks for password and current password is working for getting kerberos ticket and not asking me to reset the password.
on the Linux command line. Are you asekd you for new password here? If not Samba might not return the right error code to indicate that the password is expired.I posted this query in samba mailing list also but they told me that if Windows 7 client is working fine then Samba is working fine.
No you weren't, you were told that you might have a better chance of getting it fixed on the sssd list because it worked from a windows client, so this meant it was *probably* a sssd problem, it may in the end turn out to be a samba problem, but sssd needs ruling out first and as I pointed out to you on the samba list, sssd is not part of samba.
Rowland
In this case it would be nice if you can send the output of KRB5_TRACE=/dev/stdout kinit sambauser@INTRA.EXAMPLE.COM <mailto:sambauser@INTRA.EXAMPLE.COM>Here is the output of the above command,
# KRB5_TRACE=/dev/stdout kinit test [2507] 1420693228.971649: Getting initial credentials for test@INTRA.EXAMPLE.COM mailto:test@INTRA.EXAMPLE.COM [2507] 1420693228.974468: Sending request (210 bytes) to INTRA.EXAMPLE.COM http://INTRA.EXAMPLE.COM [2507] 1420693228.976230: Sending initial UDP request to dgram 172.16.0.170:8880 http://172.16.0.170:8880 [2507] 1420693228.981059: Received answer from dgram 172.16.0.170:8880 http://172.16.0.170:8880 [2507] 1420693228.981167: Response was not from master KDC [2507] 1420693228.981252: Received error from KDC: -1765328359/Additional pre-authentication required [2507] 1420693228.981413: Processing preauth types: 16, 15, 2, 138, 136, 11, 19 [2507] 1420693228.981477: Selected etype info: etype rc4-hmac, salt "INTRA.EXAMPLE.COMtest", params "" [2507] 1420693228.981532: Selected etype info: etype rc4-hmac, salt "INTRA.EXAMPLE.COMtest", params "" Password for test@INTRA.EXAMPLE.COM mailto:test@INTRA.EXAMPLE.COM: [2507] 1420693231.111979: AS key obtained for encrypted timestamp: rc4-hmac/3CC1 [2507] 1420693231.112235: Encrypted timestamp (for 1420693231.112064): plain 301AA011180F32303135303130383035303033315AA105020301B5C0, encrypted F92A0E3BEF336E51C24C4CB9E8EB1ACE49ECA2BE32C9ABD207062898FD593268EEA31CF0185BE2B2B05F3A4A47328E9B1149AFA0 [2507] 1420693231.112272: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success [2507] 1420693231.112292: Produced preauth for next request: 2 [2507] 1420693231.112341: Sending request (286 bytes) to INTRA.EXAMPLE.COM http://INTRA.EXAMPLE.COM [2507] 1420693231.112611: Sending initial UDP request to dgram 172.16.0.170:8880 http://172.16.0.170:8880 [2507] 1420693231.116296: Received answer from dgram 172.16.0.170:8880 http://172.16.0.170:8880 [2507] 1420693231.116448: Response was not from master KDC [2507] 1420693231.116573: Processing preauth types: 3 [2507] 1420693231.116586: Received salt "��" via padata type 3 [2507] 1420693231.116597: Produced preauth for next request: (empty) [2507] 1420693231.116616: AS key determined by preauth: rc4-hmac/3CC1 [2507] 1420693231.116694: Decrypted AS reply; session key is: rc4-hmac/4D55 [2507] 1420693231.116724: FAST negotiation: available [2507] 1420693231.116729: Initializing FILE:/tmp/krb5cc_0 with default princ test@INTRA.EXAMPLE.COM mailto:test@INTRA.EXAMPLE.COM [2507] 1420693231.117523: Removing test@INTRA.EXAMPLE.COM mailto:test@INTRA.EXAMPLE.COM -> krbtgt/INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM mailto:INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM from FILE:/tmp/krb5cc_0 [2507] 1420693231.117542: Storing test@INTRA.EXAMPLE.COM mailto:test@INTRA.EXAMPLE.COM -> krbtgt/INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM mailto:INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM in FILE:/tmp/krb5cc_0 [2507] 1420693231.117710: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM mailto:INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM: fast_avail: yes [2507] 1420693231.117903: Removing test@INTRA.EXAMPLE.COM mailto:test@INTRA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt/INTRA.EXAMPLE.COM http://INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM@X-CACHECONF: from FILE:/tmp/krb5cc_0 [2507] 1420693231.117920: Storing test@INTRA.EXAMPLE.COM mailto:test@INTRA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt/INTRA.EXAMPLE.COM http://INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM@X-CACHECONF: in FILE:/tmp/krb5cc_0
--Regards Ashishkumar S. Yadav
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, Jan 08, 2015 at 10:39:36AM +0530, Ashish Yadav wrote:
Hi,
What happens if you call
kinit sambauser@INTRA.EXAMPLE.COM
It asks for password and current password is working for getting kerberos ticket and not asking me to reset the password.
on the Linux command line. Are you asekd you for new password here? If not Samba might not return the right error code to indicate that the password is expired.
I posted this query in samba mailing list also but they told me that if Windows 7 client is working fine then Samba is working fine.
In this case it would be nice if you can send the output of
KRB5_TRACE=/dev/stdout kinit sambauser@INTRA.EXAMPLE.COM
Here is the output of the above command,
# KRB5_TRACE=/dev/stdout kinit test [2507] 1420693228.971649: Getting initial credentials for test@INTRA.EXAMPLE.COM [2507] 1420693228.974468: Sending request (210 bytes) to INTRA.EXAMPLE.COM [2507] 1420693228.976230: Sending initial UDP request to dgram 172.16.0.170:8880 [2507] 1420693228.981059: Received answer from dgram 172.16.0.170:8880 [2507] 1420693228.981167: Response was not from master KDC [2507] 1420693228.981252: Received error from KDC: -1765328359/Additional pre-authentication required [2507] 1420693228.981413: Processing preauth types: 16, 15, 2, 138, 136, 11, 19 [2507] 1420693228.981477: Selected etype info: etype rc4-hmac, salt "INTRA.EXAMPLE.COMtest", params "" [2507] 1420693228.981532: Selected etype info: etype rc4-hmac, salt "INTRA.EXAMPLE.COMtest", params "" Password for test@INTRA.EXAMPLE.COM: [2507] 1420693231.111979: AS key obtained for encrypted timestamp: rc4-hmac/3CC1 [2507] 1420693231.112235: Encrypted timestamp (for 1420693231.112064): plain 301AA011180F32303135303130383035303033315AA105020301B5C0, encrypted F92A0E3BEF336E51C24C4CB9E8EB1ACE49ECA2BE32C9ABD207062898FD593268EEA31CF0185BE2B2B05F3A4A47328E9B1149AFA0 [2507] 1420693231.112272: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success [2507] 1420693231.112292: Produced preauth for next request: 2 [2507] 1420693231.112341: Sending request (286 bytes) to INTRA.EXAMPLE.COM [2507] 1420693231.112611: Sending initial UDP request to dgram 172.16.0.170:8880 [2507] 1420693231.116296: Received answer from dgram 172.16.0.170:8880 [2507] 1420693231.116448: Response was not from master KDC
Thank you for the output. When I run kinit against a Windows DC I get
[10020] 1420716572.35107: Received error from KDC: -1765328361/Password has expired
which lets the client know that the password is expired and must be renewed which kinit and SSSD does correctly when talking to a Windows server. Since Windows clients do not use only plain Kerberos for authentication they might get the information that the password must be renewed by other means.
I will talk to Samba developers to see if Samba can be changed to behave link a Windows DC here and will let you know the result.
bye, Sumit
[2507] 1420693231.116573: Processing preauth types: 3 [2507] 1420693231.116586: Received salt "��" via padata type 3 [2507] 1420693231.116597: Produced preauth for next request: (empty) [2507] 1420693231.116616: AS key determined by preauth: rc4-hmac/3CC1 [2507] 1420693231.116694: Decrypted AS reply; session key is: rc4-hmac/4D55 [2507] 1420693231.116724: FAST negotiation: available [2507] 1420693231.116729: Initializing FILE:/tmp/krb5cc_0 with default princ test@INTRA.EXAMPLE.COM [2507] 1420693231.117523: Removing test@INTRA.EXAMPLE.COM -> krbtgt/ INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM from FILE:/tmp/krb5cc_0 [2507] 1420693231.117542: Storing test@INTRA.EXAMPLE.COM -> krbtgt/ INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM in FILE:/tmp/krb5cc_0 [2507] 1420693231.117710: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/ INTRA.EXAMPLE.COM@INTRA.EXAMPLE.COM: fast_avail: yes [2507] 1420693231.117903: Removing test@INTRA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt/INTRA.EXAMPLE.COM @INTRA.EXAMPLE.COM@X-CACHECONF: from FILE:/tmp/krb5cc_0 [2507] 1420693231.117920: Storing test@INTRA.EXAMPLE.COM -> krb5_ccache_conf_data/fast_avail/krbtgt/INTRA.EXAMPLE.COM @INTRA.EXAMPLE.COM@X-CACHECONF: in FILE:/tmp/krb5cc_0
--Regards Ashishkumar S. Yadav
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Ashish Yadav -
Rowland Penny -
Sumit Bose