Description of problem: ***************************************** While running net ads join from samba server to join windows AD domain I get error where it says password mismatch and join doesn't happen. Actually the password was expired for the user(Administrator). I think it should throw the appropriate message that "password is expired" and not password mismatch. Then I tried kinit for the domain : kinit administrator there I got appropriate message that password is expired and need to change the password , then it gives the option to change the password but still kinit fails for that attempt. Once I tried to login from Windows machine itself with the new password that was changed and then tried kinit from the server it succeeded. Configuration Details: Windows Server 2012 R2 samba-4.2.4-12.el7rhgs.x86_64 Red Hat Enterprise Linux Server release 7.2 there are primary DC, Secondary DC and a Child DC. smb.conf :[global] workgroup = RHSQE-2012-DC realm = rhsqe-2012-dc.com netbios name = RHS-SAMBA server string = Samba Server Version %v security = ADS log file = /var/log/samba/log.%m max log size = 50 ctdbd socket = /var/run/ctdb/ctdbd.socket clustering = Yes load printers = No disable spoolss = Yes show add printer wizard = No stat cache = No winbind nss info = rfc2307 idmap config * : range = 1000000-1999999 idmap config * : backend = tdb aio read size = 4096 printing = bsd map archive = No map readonly = no store dos attributes = Yes kernel share modes = No include = /etc/samba/ctdb.conf After configuring and following all the steps from admin guide for AD: net ads join -U Administrator Failed to join domain: failed to lookup DC info for domain 'RHSQE-2012-DC.COM' over rpc:password mismatch After that tried kinit kinit administrator "password is expired ,change password" and it gives option to change the password.the password is changed and then kinit failed for the first attempt. Tried logging from windows server itself using the same password , it succeeded. And once again doing kinit , it succeeded. Version-Release number of selected component (if applicable): How reproducible: Tried once. Steps to Reproduce: 1.Setup AD with samba as mentioned in RHGS Admin guide 2. try to join windows domain with Domain user , Administrator. 3. Use the expired password to join domain 4. See the error message 5. Do kinit to the domain : to change the password : and see if kinit succeeds. Actual results: the net command gives error as password mismatch , when actually the password was expired. kinit gives option to change the password but not succeeds in the first attempt. Expected results: Appropriate message e.g : "password is expired, change password"shall be given if the password is expired for the AD user. Additional info:
Is this possibly already fixed in upstream samba in commit b3931af2df293a9cb75f21cdb5555fb6725dff34 ? Assigning to Günther.
I have filled in doc_text with some information from commit. Would like Guenther to verify the same.
Updated the doc_text with some little corrections. Otherwise looks fine. Thanks!
I have updated the password policy to expire on 1 day.So we have to wait for the password expiry i.e 24Hrs and post that i will update the bug. Once the password expires we can verify the appropriate message. Meanwhile i am looking at other possibilities to verify the same.
net ads join -U Administrator Enter Administrator's password: kerberos_kinit_password Administrator failed: Password has expired Failed to join domain: failed to connect to AD: Password has expired Marking it as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1248