Active Directory users unable to change expired password on logon

Bug #1919320 reported by ibmthinkpad770x
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gdm3 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I have Ubuntu 20.04 domain joined in a test-lab environment. The problem is even if a user is set to change their password upon logon via Windows active directory the user is never prompted to do so. I have tried multiple domain join methods with the same result including the official Ubuntu "Integration of Ubuntu Desktop with Microsoft Active Directory" white paper

https://ubuntu.com/engage/microsoft-active-directory

Using this SSSD and Realmd AD joined method the user is denied logon and receives a "Sorry, that did'nt work. Please try again" message.

When using a Winbind and Samba joined AD system the user receives an "expired password" warning but is allowed to logon to the system without being forced to change the password.

Below are the WinBind steps with comments on each step:

#hostname rename

#!/bin/bash
echo Please enter new hostname
read hostrename
sudo hostnamectl set-hostname $hostrename &&
sudo rm -f /etc/hosts
sudo cat > /etc/hosts << EOF
127.0.0.1 localhost
127.0.1.1 $hostrename.TESTDOMAIN.INC $hostrename

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

EOF

#install needed packages

sudo apt-get install bind9-dnsutils &&
sudo apt-get install ntpdate &&
sudo apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind &&

#remove and create krb5.conf with specific variables
sudo rm -f /etc/krb5.conf
sudo cat > /etc/krb5.conf << EOF
[libdefaults]
        default_realm = TESTDOMAIN.INC

        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        TESTDOMAIN.INC = {
                kdc = DC01.TESTDOMAIN.INC
                admin_server = DC01.TESTDOMAIN.INC
        }

[domain_realm]
        TESTDOMAIN = TESTDOMAIN.INC
        .testdomain.inc = TESTDOMAIN.INC

EOF

#remove and create samba files with specific variables

sudo rm -f /etc/samba/smb.conf &&
sudo cat > /etc/samba/smb.conf << EOF
[global]
workgroup = TESTDOMAIN
realm = TESTDOMAIN.INC
security = ADS
dns forwarder = 10.0.0.218
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
EOF
break

#restart services

sudo systemctl restart winbind smbd nmbd

#home directory enablement

pam-auth-update --enable mkhomedir

#nssswitch removal and modification to enable domain accounts

sudo rm -f /etc/nsswitch.conf
sudo cat > /etc/nsswitch.conf <<EOF
passwd: files systemd winbind
group: files systemd winbind
shadow: files winbind
gshadow: files winbind

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
EOF
echo done

Since this is a test environment I manually added my DNS server in Network manager

After the configuration script I tested authentication with the following domain account:
kinit administrator

After the configuration script I manually joined with the following line:

sudo net ads join -U administrator

This joined the system to the Windows Domain TESTDOMAIN.INC with working DNS

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1919320/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Revision history for this message
ibmthinkpad770x (srgtlord) wrote :

Hello,
I understand the need for a narrower approach but there are multiple packages involved with Domain authentication including but not limited to gdm3, samba, krb5-config, winbind, and libpam-winbind. Should I open multiple bug reports with one open for each package?

Revision history for this message
ibmthinkpad770x (srgtlord) wrote :

advised by the bot to change the effected package

affects: ubuntu → gdm3 (Ubuntu)
tags: added: focal
Revision history for this message
ibmthinkpad770x (srgtlord) wrote :

I tested this today with 18.04

This issue exists in 18.04 with the the samba domain join method.

However Ubuntu 18.04 with SSSD and Realmd method worked as designed with the expired password. The user was able to change the expired password

Revision history for this message
Babu chandrasekar (bachan393) wrote :

Just do "apt install libpam-krb5"

and then it obeys "User must change password at next logon" policy from windows AD

Thanks
Babu

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gdm3 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.