Red Hat Bugzilla – Bug 1306926
SAMBA AD: Appropriate message to be given by net when AD user password is expired
Last modified: 2016-06-23 01:37:18 EDT
Description of problem:
While running net ads join from samba server to join windows AD domain I
get error where it says password mismatch and join doesn't happen.
Actually the password was expired for the user(Administrator).
I think it should throw the appropriate message that "password is
expired" and not password mismatch.
Then I tried kinit for the domain : kinit administrator@RHSQE-2012-DC.COM
there I got appropriate message that password is expired and need to
change the password , then it gives the option to change the password
but still kinit fails for that attempt.
Once I tried to login from Windows machine itself with the new password
that was changed and then tried kinit from the server it succeeded.
Windows Server 2012 R2
Red Hat Enterprise Linux Server release 7.2
there are primary DC, Secondary DC and a Child DC.
workgroup = RHSQE-2012-DC
realm = rhsqe-2012-dc.com
netbios name = RHS-SAMBA
server string = Samba Server Version %v
security = ADS
log file = /var/log/samba/log.%m
max log size = 50
ctdbd socket = /var/run/ctdb/ctdbd.socket
clustering = Yes
load printers = No
disable spoolss = Yes
show add printer wizard = No
stat cache = No
winbind nss info = rfc2307
idmap config * : range = 1000000-1999999
idmap config * : backend = tdb
aio read size = 4096
printing = bsd
map archive = No
map readonly = no
store dos attributes = Yes
kernel share modes = No
include = /etc/samba/ctdb.conf
After configuring and following all the steps from admin guide for AD:
net ads join -U Administrator
Failed to join domain: failed to lookup DC info for domain 'RHSQE-2012-DC.COM' over rpc:password mismatch
After that tried kinit kinit administrator@RHSQE-2012-DC.COM
"password is expired ,change password"
and it gives option to change the password.the password is changed and then kinit failed for the first attempt.
Tried logging from windows server itself using the same password , it succeeded.
And once again doing kinit , it succeeded.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Setup AD with samba as mentioned in RHGS Admin guide
2. try to join windows domain with Domain user , Administrator.
3. Use the expired password to join domain
4. See the error message
5. Do kinit to the domain : to change the password : and see if kinit succeeds.
the net command gives error as password mismatch , when actually the password was expired.
kinit gives option to change the password but not succeeds in the first attempt.
Appropriate message e.g : "password is expired, change password"shall be given if the password is expired for the AD user.
Is this possibly already fixed in upstream samba in commit b3931af2df293a9cb75f21cdb5555fb6725dff34 ?
Assigning to Günther.
I have filled in doc_text with some information from commit. Would like Guenther to verify the same.
Updated the doc_text with some little corrections. Otherwise looks fine. Thanks!
I have updated the password policy to expire on 1 day.So we have to wait for the password expiry i.e 24Hrs and post that i will update the bug.
Once the password expires we can verify the appropriate message.
Meanwhile i am looking at other possibilities to verify the same.
net ads join -U Administrator
Enter Administrator's password:
kerberos_kinit_password Administrator@RHSQE-2012-DC.COM failed: Password has expired
Failed to join domain: failed to connect to AD: Password has expired
Marking it as verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.