[opensuse] AD domain password change
Hi, I have opensuse Thumbleweed as a member od windows AD domain. It started showing password expiration notice. What is the opensuse way to change my password for the domain? Cheers, Sunny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, Aug 04, 2011 at 08:19:31AM -0500, Sunny wrote:
I have opensuse Thumbleweed as a member od windows AD domain. It started showing password expiration notice.
- KDM or GMD? - When did it started to work? "I moved from the plain KDE version is part of openSUSE 11.4 to ..."
What is the opensuse way to change my password for the domain?
Both display managers (kdm/ gdm) had been able to handle this quite well. If this doesn't work any longer please file a bug report. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Thu, Aug 4, 2011 at 3:39 PM, Lars Müller
On Thu, Aug 04, 2011 at 08:19:31AM -0500, Sunny wrote:
I have opensuse Thumbleweed as a member od windows AD domain. It started showing password expiration notice.
- KDM or GMD? - When did it started to work? "I moved from the plain KDE version is part of openSUSE 11.4 to ..."
Its KDM, I'm unsure what you mean by "when did it started to work". It was always working - i.e. logging with a domain user/pass. It's just a company policy that passwords expire, and I need to change mine.
What is the opensuse way to change my password for the domain?
Both display managers (kdm/ gdm) had been able to handle this quite well. If this doesn't work any longer please file a bug report.
I.e. you mean - when I try to login, and it no longer let's me in, I can change the password from the login screen? Or the KDM has somewhere option to change password - I could not find it, that's why I ask. Thanks -- Svetoslav Milenov (Sunny) Artificial Intelligence is no match for natural stupidity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2011-08-04 at 16:57 -0500, Sunny wrote:
On Thu, Aug 4, 2011 at 3:39 PM, Lars Müller
wrote: On Thu, Aug 04, 2011 at 08:19:31AM -0500, Sunny wrote:
I have opensuse Thumbleweed as a member od windows AD domain. It started showing password expiration notice.
- KDM or GMD? - When did it started to work? "I moved from the plain KDE version is part of openSUSE 11.4 to ..."
Its KDM, I'm unsure what you mean by "when did it started to work". It was always working - i.e. logging with a domain user/pass. It's just a company policy that passwords expire, and I need to change mine.
What is the opensuse way to change my password for the domain?
Both display managers (kdm/ gdm) had been able to handle this quite well. If this doesn't work any longer please file a bug report.
I.e. you mean - when I try to login, and it no longer let's me in, I can change the password from the login screen? Or the KDM has somewhere option to change password - I could not find it, that's why I ask.
I have never seen a place to change it. I always have had to do so via Windows. Of course, I have not tried in a while. But if your password is expired (not accepted) and KDM does not pop up a window offering you to set a new one, then I bet there is no such facility. I have never recognized any KDM configuration option that enables that. That is not to say there isn't one... Having said that, what happens with a regular Linux account password if it is set to expire? Does KDM offer a place to enter a new one? While on the topic of AD, aside from not needing to set up an account on the Linux machine, what else can logging in via AD offer on openSUSE? Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Aug 05, 2011 at 08:20:48AM +0200, Roger Oberholtzer wrote:
On Thu, 2011-08-04 at 16:57 -0500, Sunny wrote:
On Thu, Aug 4, 2011 at 3:39 PM, Lars Müller
wrote: On Thu, Aug 04, 2011 at 08:19:31AM -0500, Sunny wrote: [ 8< ]
What is the opensuse way to change my password for the domain?
Both display managers (kdm/ gdm) had been able to handle this quite well. If this doesn't work any longer please file a bug report.
I.e. you mean - when I try to login, and it no longer let's me in, I can change the password from the login screen? Or the KDM has somewhere option to change password - I could not find it, that's why I ask.
I have never seen a place to change it. I always have had to do so via Windows. Of course, I have not tried in a while. But if your password is expired (not accepted) and KDM does not pop up a window offering you to set a new one, then I bet there is no such facility. I have never recognized any KDM configuration option that enables that. That is not to say there isn't one...
/etc/sysconfig/displaymanager:DISPLAYMANAGER_AD_INTEGRATION
Having said that, what happens with a regular Linux account password if it is set to expire? Does KDM offer a place to enter a new one?
While on the topic of AD, aside from not needing to set up an account on the Linux machine, what else can logging in via AD offer on openSUSE?
You earn real single sign on aka the environent is kerberized. But here I might have missed your question. Please be more verbose about what you mean with "what else can logging in via AD offer on openSUSE". Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Fri, 2011-08-05 at 11:00 +0200, Lars Müller wrote:
/etc/sysconfig/displaymanager:DISPLAYMANAGER_AD_INTEGRATION
That allows you to log in to the AD domain from, say, KDM. This must be set even to get to the place where a password can be considered expired. But that is not necessarily the same as what to do when the AD password is found to have expired. If the OP says he is getting the message that his password is expired, should he be expecting KDM to have popped up a window where he can enter a new password that can be set in the AD? I think this is what he is curious about, and apparently does not see.
Having said that, what happens with a regular Linux account password if it is set to expire? Does KDM offer a place to enter a new one?
While on the topic of AD, aside from not needing to set up an account on the Linux machine, what else can logging in via AD offer on openSUSE?
You earn real single sign on aka the environent is kerberized.
But here I might have missed your question. Please be more verbose about what you mean with "what else can logging in via AD offer on openSUSE".
I was curious if there were any things that could be set up on Linux as a result of this AD login. I guess these are outside the AD login per-se. But having got the AD login makes one want to try more things that are no doubt beyond AD login. Once one has completed step A, there is always step B, C, etc... Us users are never satisfied.
Lars
Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Aug 05, 2011 at 11:46:53AM +0200, Roger Oberholtzer wrote:
On Fri, 2011-08-05 at 11:00 +0200, Lars Müller wrote:
/etc/sysconfig/displaymanager:DISPLAYMANAGER_AD_INTEGRATION
That allows you to log in to the AD domain from, say, KDM. This must be set even to get to the place where a password can be considered expired. But that is not necessarily the same as what to do when the AD password is found to have expired. If the OP says he is getting the message that his password is expired, should he be expecting KDM to have popped up a window where he can enter a new password that can be set in the AD? I think this is what he is curious about, and apparently does not see.
The full password change process - you see a message like "Your password has expired!" or "Your password will expire in n days!") - happens on display manager level. If that's no longer the case please feed bugzilla.
Having said that, what happens with a regular Linux account password if it is set to expire? Does KDM offer a place to enter a new one?
While on the topic of AD, aside from not needing to set up an account on the Linux machine, what else can logging in via AD offer on openSUSE?
You earn real single sign on aka the environent is kerberized.
But here I might have missed your question. Please be more verbose about what you mean with "what else can logging in via AD offer on openSUSE".
I was curious if there were any things that could be set up on Linux as a result of this AD login. I guess these are outside the AD login per-se. But having got the AD login makes one want to try more things that are no doubt beyond AD login. Once one has completed step A, there is always step B, C, etc... Us users are never satisfied.
Sorry, this is for a simple minded guy like me hard to parse. Please be more tangible or talk to a good doctor, therapist, your dog, wife ... ;) What we need to see are use cases and questions. Real world issues and not hypothetical hypothesis. One simple example: open firefox and try to access outlook web access. If you did all right you got a TGT - check this with the klist tool after login - and this allows you to get a particular service ticket. We did many presentations regarding this in the last years. Maybe we have to tape a short one again at the upcoming openSUSE conference. Which is btw a good place to kick several Samba guys in their lazy back side. :) Thanks. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Am Freitag, 5. August 2011, 12:09:00 schrieb Lars Müller:
The full password change process - you see a message like "Your password has expired!" or "Your password will expire in n days!") - happens on display manager level.
If that's no longer the case please feed bugzilla.
I think what he and the original poster mean is: The notification that the password has expired works. But – they cannot find a way to change the expired password, i.e. they would like to know where in kdm they have to click in order to set a new password. Something like: Your password has expired, please enter a new one: [input line] They cannot find the input line. Sven -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2011-08-05 at 13:02 +0200, Sven Burmeister wrote:
Am Freitag, 5. August 2011, 12:09:00 schrieb Lars Müller:
The full password change process - you see a message like "Your password has expired!" or "Your password will expire in n days!") - happens on display manager level.
If that's no longer the case please feed bugzilla.
I think what he and the original poster mean is:
The notification that the password has expired works. But – they cannot find a way to change the expired password, i.e. they would like to know where in kdm they have to click in order to set a new password.
Something like: Your password has expired, please enter a new one: [input line]
They cannot find the input line.
Exactly. And, as I asked, if your linux password is set to expire, do you get a dialog in KDM to change that? It may not be an AD-only question. Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Aug 05, 2011 at 01:14:58PM +0200, Roger Oberholtzer wrote:
On Fri, 2011-08-05 at 13:02 +0200, Sven Burmeister wrote:
Am Freitag, 5. August 2011, 12:09:00 schrieb Lars Müller:
The full password change process - you see a message like "Your password has expired!" or "Your password will expire in n days!") - happens on display manager level.
If that's no longer the case please feed bugzilla.
I think what he and the original poster mean is:
The notification that the password has expired works. But – they cannot find a way to change the expired password, i.e. they would like to know where in kdm they have to click in order to set a new password.
Something like: Your password has expired, please enter a new one: [input line]
They cannot find the input line.
Then this is broken in KDE and maybe Gnome too. Please file a bugreport at bugzilla.novell.com else it will not get the attention of the people in charge. And please separate the issues for KDE and Gnome. I'm testing this now with openSUSE Factory and KDM.
Exactly. And, as I asked, if your linux password is set to expire, do you get a dialog in KDM to change that? It may not be an AD-only question.
A KDE guy must step in here. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Fri, 2011-08-05 at 12:09 +0200, Lars Müller wrote:
On Fri, Aug 05, 2011 at 11:46:53AM +0200, Roger Oberholtzer wrote:
On Fri, 2011-08-05 at 11:00 +0200, Lars Müller wrote:
/etc/sysconfig/displaymanager:DISPLAYMANAGER_AD_INTEGRATION
That allows you to log in to the AD domain from, say, KDM. This must be set even to get to the place where a password can be considered expired. But that is not necessarily the same as what to do when the AD password is found to have expired. If the OP says he is getting the message that his password is expired, should he be expecting KDM to have popped up a window where he can enter a new password that can be set in the AD? I think this is what he is curious about, and apparently does not see.
The full password change process - you see a message like "Your password has expired!" or "Your password will expire in n days!") - happens on display manager level.
If that's no longer the case please feed bugzilla.
Having said that, what happens with a regular Linux account password if it is set to expire? Does KDM offer a place to enter a new one?
While on the topic of AD, aside from not needing to set up an account on the Linux machine, what else can logging in via AD offer on openSUSE?
You earn real single sign on aka the environent is kerberized.
But here I might have missed your question. Please be more verbose about what you mean with "what else can logging in via AD offer on openSUSE".
I was curious if there were any things that could be set up on Linux as a result of this AD login. I guess these are outside the AD login per-se. But having got the AD login makes one want to try more things that are no doubt beyond AD login. Once one has completed step A, there is always step B, C, etc... Us users are never satisfied.
Sorry, this is for a simple minded guy like me hard to parse. Please be more tangible or talk to a good doctor, therapist, your dog, wife ... ;)
What we need to see are use cases and questions. Real world issues and not hypothetical hypothesis.
I actually took them out of my response because I am sure they are not related to AD authorization. Or at least only tangentially related to AD. But the act of being authorized via AD implies that one might take the next step and access services typically provided to those who have been authorized in the AD. And in the Windows world that is not limited to authentication. What these things are of course depends on the AD to which you have logged on. I feel there is more stuff waiting there. Just waiting for me to access it. Of course, SAMBA plays a role here. But, to me, it is all a bit diffuse and too full of jargon to know where to proceed. One example usage: After logging in to AD, can I have access to my home directory no matter where I am? Obviously I can set this sort of thing up in Linux with a linux login. But what can be done with an AD login? Remember that I can log in to a Linux machine via AD without a previous account on that machine. It is created on-the-fly. How can I get the AD login to make available the user's home directory as defined in the AD? I do not know that AD calls it a home directory. But there is usually a common storage area defined for each user. Another example (veering off thread topic- I think...): Our business as a whole uses Windows and AD. Except for those in my group who use openSUSE. The things that I see that are interesting are perhaps not really related to AD. But, I cannot know that as I do not use AD. For example, when a Windows user logs in, it is determined (1) which printers they are authorized to use and (2) their default printer queue is set to access the one closest to their location. This works company-wide as one zips about with their laptop. Printouts seem to pop out of the printer just down the corridor. No matter in which corridor you find yourself. Is this location service in any way related to AD. I do not necessarily mean the printer stuff - it is just a concrete example. But what else could be set up on Linux based on info in the AD? For a while our company used the Novell login. I was using the Novell Linux Client to try to get access to things the Novell login made available. The company have dropped the Novell client and now all is in AD. Of course, if you cannot change an expired password, there could be issues with
One simple example: open firefox and try to access outlook web access. If you did all right you got a TGT - check this with the klist tool after login - and this allows you to get a particular service ticket.
We did many presentations regarding this in the last years. Maybe we have to tape a short one again at the upcoming openSUSE conference.
Which is btw a good place to kick several Samba guys in their lazy back side. :)
Thanks.
Lars
Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Aug 05, 2011 at 01:30:10PM +0200, Roger Oberholtzer wrote: [ 8< ]
One example usage: After logging in to AD, can I have access to my home directory no matter where I am? Obviously I can set this sort of thing up in Linux with a linux login. But what can be done with an AD login? Remember that I can log in to a Linux machine via AD without a previous account on that machine. It is created on-the-fly. How can I get the AD login to make available the user's home directory as defined in the AD? I do not know that AD calls it a home directory. But there is usually a common storage area defined for each user.
pam_mount
Another example (veering off thread topic- I think...): Our business as a whole uses Windows and AD. Except for those in my group who use openSUSE. The things that I see that are interesting are perhaps not really related to AD. But, I cannot know that as I do not use AD. For example, when a Windows user logs in, it is determined (1) which printers they are authorized to use and (2) their default printer queue is set to access the one closest to their location. This works company-wide as one zips about with their laptop. Printouts seem to pop out of the printer just down the corridor. No matter in which corridor you find yourself. Is this location service in any way related to AD.
It is. It's done via a mix of LDAP, DNS, and group policy settings. And here starts the painfull part of the integration. With Samba and winbind we're only retrieve/ pull the information and store it locally - in a ini file IIRC. This information needs to get parsed and passed to the applications. This is the missing link. What I have in mind since quite some time is to identify the top five settings we like to get and somehow store in a local config file. The first attempt/ approach doesn't need to be perfect. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Fri, 2011-08-05 at 14:18 +0200, Lars Müller wrote:
On Fri, Aug 05, 2011 at 01:30:10PM +0200, Roger Oberholtzer wrote: [ 8< ]
One example usage: After logging in to AD, can I have access to my home directory no matter where I am? Obviously I can set this sort of thing up in Linux with a linux login. But what can be done with an AD login? Remember that I can log in to a Linux machine via AD without a previous account on that machine. It is created on-the-fly. How can I get the AD login to make available the user's home directory as defined in the AD? I do not know that AD calls it a home directory. But there is usually a common storage area defined for each user.
pam_mount
But how do I find/specify, in the context of pam_mount, the name of the place to mount that was stored in the AD info? (Related to mu 'dumb question' below.)
Another example (veering off thread topic- I think...): Our business as a whole uses Windows and AD. Except for those in my group who use openSUSE. The things that I see that are interesting are perhaps not really related to AD. But, I cannot know that as I do not use AD. For example, when a Windows user logs in, it is determined (1) which printers they are authorized to use and (2) their default printer queue is set to access the one closest to their location. This works company-wide as one zips about with their laptop. Printouts seem to pop out of the printer just down the corridor. No matter in which corridor you find yourself. Is this location service in any way related to AD.
It is. It's done via a mix of LDAP, DNS, and group policy settings. And here starts the painfull part of the integration. With Samba and winbind we're only retrieve/ pull the information and store it locally - in a ini file IIRC. This information needs to get parsed and passed to the applications. This is the missing link.
Interesting. What INI file?
What I have in mind since quite some time is to identify the top five settings we like to get and somehow store in a local config file. The first attempt/ approach doesn't need to be perfect.
I like the sound of that. Here is probably a dumb question: Since I have been authenticated against the AD, what command on Linux could I type to see what information is available in the AD? That is, how can I explore this information? Presumably since one is already authenticated via AD it should be possible to access it with existing information? Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
The full password change process - you see a message like "Your password has expired!" or "Your password will expire in n days!") - happens on display manager level.
If that's no longer the case please feed bugzilla.
I was not clear from the beginning. I do receive "Your password will expire in n days!". I can not see how to change it. In the past, when this happened, I just logged in our Outlook Web Access and changed the password there, but I'm curious if there is a way to do it from opensuse. You say I should be able to do that from KDM, but the expiration message has only "OK" button, and I could not find anything in KDM to allow me to change the domain password. -- Svetoslav Milenov (Sunny) Artificial Intelligence is no match for natural stupidity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, Aug 04, 2011 at 04:57:34PM -0500, Sunny wrote:
On Thu, Aug 4, 2011 at 3:39 PM, Lars Müller
wrote: On Thu, Aug 04, 2011 at 08:19:31AM -0500, Sunny wrote:
I have opensuse Thumbleweed as a member od windows AD domain. It started showing password expiration notice.
- KDM or GMD? - When did it started to work? "I moved from the plain KDE version is part of openSUSE 11.4 to ..."
Its KDM, I'm unsure what you mean by "when did it started to work".
Dude, you wrote "It started showing password expiration notice." and therefore I guessed this never worked before. But from your last mail I'm now sure you've never seen it before. Never mind.
It was always working - i.e. logging with a domain user/pass. It's just a company policy that passwords expire, and I need to change mine.
Well, and if that happen "passwords expiration" then the display manager _must_ inform you. And this worked in the past. We have tested this heavily as we have huge deployments which are using this feature.
What is the opensuse way to change my password for the domain?
Both display managers (kdm/ gdm) had been able to handle this quite well. If this doesn't work any longer please file a bug report.
I.e. you mean - when I try to login, and it no longer let's me in, I can change the password from the login screen?
Yepp. Very, very close to the way a Microsoft domain member handles it.
Or the KDM has somewhere option to change password - I could not find it, that's why I ask.
KDE and Gnome guys: Help! Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On 08/04/2011 03:19 PM, Sunny wrote:
Hi, I have opensuse Thumbleweed as a member od windows AD domain. It started showing password expiration notice.
What is the opensuse way to change my password for the domain?
Cheers, Sunny
I use smbpasswd command for that:
smbpasswd -U <username> -r
participants (5)
-
Lars Müller
-
Radule Šoškić
-
Roger Oberholtzer
-
Sunny
-
Sven Burmeister