Hi everybody,
I apologize if this topic has already been discussed; weeks of searching has turned up nothing.
I have a Leap 15.2 server built out with samba 4.11.14+git.202.344b137b75d, configured as a domain controller (samba-ad-dc), with MIT KRB5 1.16.3-lp152.5.13.1, nothing fancy, everything right from the Leap 15.2 repositories - no add-ons. Basic bare-bones build. The server works well with respect to joining Windows 10 20H2 workstations to it, creating, removing users, managing passwords via Windows Admin tools. I can change user passwords from workstations by executing CTRL+ALT+DEL and filling out the fields; all of that works well.
I am struggling with expired passwords and responding to them from the Windows 10 workstations. It keeps telling me the password has expired, offering only the OK button, which brings me back to the change password dialog. This happens with a brand new user flagged as “much change password” after creation or any existing user I decide to flag as “much change password” to trigger a password reset at next logon. This also occurs for regular users who do not have the “never expires” password attribute set on their user object; once their 45-day window comes due, and they try to logon, the workstation loops through the cycle, password expired, OK - password dialog box.
the smb.conf looks like this:
[global]
workgroup = WRKGRP
passdb backend = samba_dsdb
map to guest = Never
dns forwarder = <IP ADDRESS>
netbios name = TEST
realm = TESTING.LAB
security = AUTO
server role = domain controller
log level = 3 passdb:5 auth:5
[netlogon]
path = /path/to/scripts
read only = No
[sysvol]
path = /var/locks/sysvol
read only = No
Here’s my krb5.conf
[libdefaults]
default_realm = TESTING.LAB
dns_lookup_realm = false
dns_lookup_kdc = true
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
I can provide logs from Samba and Kerberos if you’d like to see them. Executing kinit from the server on the user tells me the password has expired, and allows me to change it successfully. smbclient tells me the password has also expired, but does not offer me a chance to change it, but that may have been my fault; I was doing that test on the quick, and I should go back and try again with more attention to detail. When running kinit, the “change password” flag was not turned off afterward, not that I expected it to do so, but the more info the better, right?