After performing migration form heidmal to mit kerberos in samba 4.7.6 can't authenticate: kinit administrator@SAMBA.DOM Password for administrator@SAMBA.DOM Password expired. You must change it now. kinit: Password has expired while getting initial credentials Here is the logs of this action: Jun 28 09:00:08 krb5kdc[13768](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.194: CLIENT KEY EXPIRED: administrator@SAMBA.DOM for krbtgt/SAMBA.DOM@SAMBA.DOM, Password has expired Jun 28 09:00:08 krb5kdc[13768](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.194: NEEDED_PREAUTH: administrator@SAMBA.DOM for kadmin/changepw@SAMBA.DOM, Additional pre-authentication required Jun 28 09:00:11 krb5kdc[13768](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.194: ISSUE: authtime 1530165611, etypes {rep=18 tkt=23 ses=23}, administrator@SAMBA.DOM for kadmin/changepw@SAMBA.DOM Jun 28 09:00:18 krb5kdc[13768](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.194: CLIENT KEY EXPIRED: administrator@SAMBA.DOM for krbtgt/SAMBA.DOM@SAMBA.DOM, Password has expired
Andreas, Can you look into this please? Andrew Bartlett
Can you please provide logs with 'log level 10' set in smb.conf?
(In reply to Andreas Schneider from comment #2) You 'll find them here: https://ns358454.ovh.net/mit_kdc-log.samba.log
It doesn't show anything interesting, I wonder if there is some on disk cache from Heimdel around which MIT Kerberos picked up. Did you check the account of the administrator if the password expire flag set in ldap?
(In reply to Andreas Schneider from comment #4) Hi, How would you check this password expire flag? #ldbsearch -H /var/lib/samba/private/sam.ldb cn=administrator objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain instanceType: 4 whenCreated: 20130405142036.0Z uSNCreated: 3545 name: Administrator objectGUID: 28dce644-577c-41e3-93ce-b83bffa17f35 userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 objectSid: ..................-500 adminCount: 1 accountExpires: 9223372036854775807 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration, isCriticalSystemObject: TRUE memberOf: CN=Administrators,CN=Builtin, memberOf: CN=Group Policy Creator Owners,CN=Users, memberOf: CN=Enterprise Admins,CN=Users, memberOf: CN=Schema Admins,CN=Users, memberOf: CN=Domain Users,CN=Users, primaryGroupID: 512 lastLogonTimestamp: 131800061181754450 lastLogon: 131800066398855230 logonCount: 127710 pwdLastSet: 131800066490057080 whenChanged: 20180829085729.0Z uSNChanged: 402540 distinguishedName: CN=Administrator,CN=Users,
Looks like this can be reproduced with '--must-change-at-next-login'.
Hello, I've finally found some times to make some test. It's with the opensuseLeap 15 packages: version 4.7.10-git.124.8d97fe90926lp150.3.9.1-SUSE-oS15.0-x86_64 My admin account looks like this: #pdbedit -u administrator -v: Account Flags: [U ] Password must change: never After migrated to MIT kerberos administraor won't authenticate till I set explicitly "now expiry" #pdbedit -u adminsitrator -c [X] or samba-tool user setexpiry administrator --noexpiry Then: #pdbedit -u administrator -v: Password must change: mar., 19 janv. 2038 06:14:07 +03 and kinit administrator works. But here's what I get When I create a new user: #samba-tool user create newuser password #pdbedit -u newuser -v: Password last set: mar., 27 nov. 2018 09:57:50 +03 Password can change: mar., 27 nov. 2018 09:57:50 +03 Password must change: never And this new user won't authenticatet till I #samba-tool user setexpiry newuser --noexpiry
Hi, I noticed this resembles to one of the bugs we solved in bug 13571 related to password expiry, which is already in master, so it may be worth checking.
This should be in Samba 4.10.0rc1 which just has been released!
Most likely be fixed in 4.10.0 and higher