You have been subscribed to a public bug: I have Ubuntu 20.04 domain joined in a test-lab environment. The problem is even if a user is set to change their password upon logon via Windows active directory the user is never prompted to do so. I have tried multiple domain join methods with the same result including the official Ubuntu "Integration of Ubuntu Desktop with Microsoft Active Directory" white paper
https://ubuntu.com/engage/microsoft-active-directory Using this SSSD and Realmd AD joined method the user is denied logon and receives a "Sorry, that did'nt work. Please try again" message. When using a Winbind and Samba joined AD system the user receives an "expired password" warning but is allowed to logon to the system without being forced to change the password. Below are the WinBind steps with comments on each step: #hostname rename #!/bin/bash echo Please enter new hostname read hostrename sudo hostnamectl set-hostname $hostrename && sudo rm -f /etc/hosts sudo cat > /etc/hosts << EOF 127.0.0.1 localhost 127.0.1.1 $hostrename.TESTDOMAIN.INC $hostrename # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters EOF #install needed packages sudo apt-get install bind9-dnsutils && sudo apt-get install ntpdate && sudo apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind && #remove and create krb5.conf with specific variables sudo rm -f /etc/krb5.conf sudo cat > /etc/krb5.conf << EOF [libdefaults] default_realm = TESTDOMAIN.INC kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] TESTDOMAIN.INC = { kdc = DC01.TESTDOMAIN.INC admin_server = DC01.TESTDOMAIN.INC } [domain_realm] TESTDOMAIN = TESTDOMAIN.INC .testdomain.inc = TESTDOMAIN.INC EOF #remove and create samba files with specific variables sudo rm -f /etc/samba/smb.conf && sudo cat > /etc/samba/smb.conf << EOF [global] workgroup = TESTDOMAIN realm = TESTDOMAIN.INC security = ADS dns forwarder = 10.0.0.218 winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config * : backend = tdb idmap config *:range = 50000-1000000 template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = true winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes EOF break #restart services sudo systemctl restart winbind smbd nmbd #home directory enablement pam-auth-update --enable mkhomedir #nssswitch removal and modification to enable domain accounts sudo rm -f /etc/nsswitch.conf sudo cat > /etc/nsswitch.conf <<EOF passwd: files systemd winbind group: files systemd winbind shadow: files winbind gshadow: files winbind hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis EOF echo done Since this is a test environment I manually added my DNS server in Network manager After the configuration script I tested authentication with the following domain account: kinit administrator After the configuration script I manually joined with the following line: sudo net ads join -U administrator This joined the system to the Windows Domain TESTDOMAIN.INC with working DNS ** Affects: gdm3 (Ubuntu) Importance: Undecided Status: New ** Tags: bot-comment -- Active Directory users unable to change expired password on logon https://bugs.launchpad.net/bugs/1919320 You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
