Active Directory users unable to change expired password on logon
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gdm3 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I have Ubuntu 20.04 domain joined in a test-lab environment. The problem is even if a user is set to change their password upon logon via Windows active directory the user is never prompted to do so. I have tried multiple domain join methods with the same result including the official Ubuntu "Integration of Ubuntu Desktop with Microsoft Active Directory" white paper
https:/
Using this SSSD and Realmd AD joined method the user is denied logon and receives a "Sorry, that did'nt work. Please try again" message.
When using a Winbind and Samba joined AD system the user receives an "expired password" warning but is allowed to logon to the system without being forced to change the password.
Below are the WinBind steps with comments on each step:
#hostname rename
#!/bin/bash
echo Please enter new hostname
read hostrename
sudo hostnamectl set-hostname $hostrename &&
sudo rm -f /etc/hosts
sudo cat > /etc/hosts << EOF
127.0.0.1 localhost
127.0.1.1 $hostrename.
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
EOF
#install needed packages
sudo apt-get install bind9-dnsutils &&
sudo apt-get install ntpdate &&
sudo apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind &&
#remove and create krb5.conf with specific variables
sudo rm -f /etc/krb5.conf
sudo cat > /etc/krb5.conf << EOF
[libdefaults]
ccache_type = 4
forwardable = true
proxiable = true
[realms]
kdc = DC01.TESTDOMAIN.INC
}
[domain_realm]
TESTDOMAIN = TESTDOMAIN.INC
EOF
#remove and create samba files with specific variables
sudo rm -f /etc/samba/smb.conf &&
sudo cat > /etc/samba/smb.conf << EOF
[global]
workgroup = TESTDOMAIN
realm = TESTDOMAIN.INC
security = ADS
dns forwarder = 10.0.0.218
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
EOF
break
#restart services
sudo systemctl restart winbind smbd nmbd
#home directory enablement
pam-auth-update --enable mkhomedir
#nssswitch removal and modification to enable domain accounts
sudo rm -f /etc/nsswitch.conf
sudo cat > /etc/nsswitch.conf <<EOF
passwd: files systemd winbind
group: files systemd winbind
shadow: files winbind
gshadow: files winbind
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
EOF
echo done
Since this is a test environment I manually added my DNS server in Network manager
After the configuration script I tested authentication with the following domain account:
kinit administrator
After the configuration script I manually joined with the following line:
sudo net ads join -U administrator
This joined the system to the Windows Domain TESTDOMAIN.INC with working DNS
tags: | added: focal |
Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https:/ /wiki.ubuntu. com/Bugs/ FindRightPackag e. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.
To change the source package that this bug is filed about visit https:/ /bugs.launchpad .net/ubuntu/ +bug/1919320/ +editstatus and add the package name in the text box next to the word Package.
[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]