On Thu, Aug 4, 2011 at 3:39 PM, Lars Müller wrote:

On Thu, Aug 04, 2011 at 08:19:31AM -0500, Sunny wrote:

...

I have opensuse Thumbleweed as a member od windows AD domain. It started showing password expiration notice.

- KDM or GMD? - When did it started to work?  "I moved from the plain KDE version is part of openSUSE 11.4 to ..."

Its KDM, I'm unsure what you mean by "when did it started to work". It was always working - i.e. logging with a domain user/pass. It's just a company policy that passwords expire, and I need to change mine.

...

What is the opensuse way to change my password for the domain?

Both display managers (kdm/ gdm) had been able to handle this quite well.  If this doesn't work any longer please file a bug report.

I.e. you mean - when I try to login, and it no longer let's me in, I can change the password from the login screen? Or the KDM has somewhere option to change password - I could not find it, that's why I ask. Thanks -- Svetoslav Milenov (Sunny) Artificial Intelligence is no match for natural stupidity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Fri, Aug 05, 2011 at 08:20:48AM +0200, Roger Oberholtzer wrote:

On Thu, 2011-08-04 at 16:57 -0500, Sunny wrote:

...

On Thu, Aug 4, 2011 at 3:39 PM, Lars Müller wrote:

...

On Thu, Aug 04, 2011 at 08:19:31AM -0500, Sunny wrote: [ 8< ]

...

What is the opensuse way to change my password for the domain?

Both display managers (kdm/ gdm) had been able to handle this quite well. If this doesn't work any longer please file a bug report.

I.e. you mean - when I try to login, and it no longer let's me in, I can change the password from the login screen? Or the KDM has somewhere option to change password - I could not find it, that's why I ask.

I have never seen a place to change it. I always have had to do so via Windows. Of course, I have not tried in a while. But if your password is expired (not accepted) and KDM does not pop up a window offering you to set a new one, then I bet there is no such facility. I have never recognized any KDM configuration option that enables that. That is not to say there isn't one...

/etc/sysconfig/displaymanager:DISPLAYMANAGER_AD_INTEGRATION

Having said that, what happens with a regular Linux account password if it is set to expire? Does KDM offer a place to enter a new one?

While on the topic of AD, aside from not needing to set up an account on the Linux machine, what else can logging in via AD offer on openSUSE?

You earn real single sign on aka the environent is kerberized. But here I might have missed your question. Please be more verbose about what you mean with "what else can logging in via AD offer on openSUSE". Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany

On Fri, Aug 05, 2011 at 11:46:53AM +0200, Roger Oberholtzer wrote:

On Fri, 2011-08-05 at 11:00 +0200, Lars Müller wrote:

...

/etc/sysconfig/displaymanager:DISPLAYMANAGER_AD_INTEGRATION

That allows you to log in to the AD domain from, say, KDM. This must be set even to get to the place where a password can be considered expired. But that is not necessarily the same as what to do when the AD password is found to have expired. If the OP says he is getting the message that his password is expired, should he be expecting KDM to have popped up a window where he can enter a new password that can be set in the AD? I think this is what he is curious about, and apparently does not see.

The full password change process - you see a message like "Your password has expired!" or "Your password will expire in n days!") - happens on display manager level. If that's no longer the case please feed bugzilla.

...

...

Having said that, what happens with a regular Linux account password if it is set to expire? Does KDM offer a place to enter a new one?

While on the topic of AD, aside from not needing to set up an account on the Linux machine, what else can logging in via AD offer on openSUSE?

You earn real single sign on aka the environent is kerberized.

But here I might have missed your question. Please be more verbose about what you mean with "what else can logging in via AD offer on openSUSE".

I was curious if there were any things that could be set up on Linux as a result of this AD login. I guess these are outside the AD login per-se. But having got the AD login makes one want to try more things that are no doubt beyond AD login. Once one has completed step A, there is always step B, C, etc... Us users are never satisfied.

Sorry, this is for a simple minded guy like me hard to parse. Please be more tangible or talk to a good doctor, therapist, your dog, wife ... ;) What we need to see are use cases and questions. Real world issues and not hypothetical hypothesis. One simple example: open firefox and try to access outlook web access. If you did all right you got a TGT - check this with the klist tool after login - and this allows you to get a particular service ticket. We did many presentations regarding this in the last years. Maybe we have to tape a short one again at the upcoming openSUSE conference. Which is btw a good place to kick several Samba guys in their lazy back side. :) Thanks. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany

On Fri, 2011-08-05 at 13:02 +0200, Sven Burmeister wrote:

Am Freitag, 5. August 2011, 12:09:00 schrieb Lars Müller:

...

The full password change process - you see a message like "Your password has expired!" or "Your password will expire in n days!") - happens on display manager level.

If that's no longer the case please feed bugzilla.

I think what he and the original poster mean is:

The notification that the password has expired works. But – they cannot find a way to change the expired password, i.e. they would like to know where in kdm they have to click in order to set a new password.

Something like: Your password has expired, please enter a new one: [input line]

They cannot find the input line.

Exactly. And, as I asked, if your linux password is set to expire, do you get a dialog in KDM to change that? It may not be an AD-only question. Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Fri, 2011-08-05 at 12:09 +0200, Lars Müller wrote:

On Fri, Aug 05, 2011 at 11:46:53AM +0200, Roger Oberholtzer wrote:

...

On Fri, 2011-08-05 at 11:00 +0200, Lars Müller wrote:

...

/etc/sysconfig/displaymanager:DISPLAYMANAGER_AD_INTEGRATION

That allows you to log in to the AD domain from, say, KDM. This must be set even to get to the place where a password can be considered expired. But that is not necessarily the same as what to do when the AD password is found to have expired. If the OP says he is getting the message that his password is expired, should he be expecting KDM to have popped up a window where he can enter a new password that can be set in the AD? I think this is what he is curious about, and apparently does not see.

The full password change process - you see a message like "Your password has expired!" or "Your password will expire in n days!") - happens on display manager level.

If that's no longer the case please feed bugzilla.

...

...

...

Having said that, what happens with a regular Linux account password if it is set to expire? Does KDM offer a place to enter a new one?

While on the topic of AD, aside from not needing to set up an account on the Linux machine, what else can logging in via AD offer on openSUSE?

You earn real single sign on aka the environent is kerberized.

But here I might have missed your question. Please be more verbose about what you mean with "what else can logging in via AD offer on openSUSE".

I was curious if there were any things that could be set up on Linux as a result of this AD login. I guess these are outside the AD login per-se. But having got the AD login makes one want to try more things that are no doubt beyond AD login. Once one has completed step A, there is always step B, C, etc... Us users are never satisfied.

Sorry, this is for a simple minded guy like me hard to parse. Please be more tangible or talk to a good doctor, therapist, your dog, wife ... ;)

What we need to see are use cases and questions. Real world issues and not hypothetical hypothesis.

I actually took them out of my response because I am sure they are not related to AD authorization. Or at least only tangentially related to AD. But the act of being authorized via AD implies that one might take the next step and access services typically provided to those who have been authorized in the AD. And in the Windows world that is not limited to authentication. What these things are of course depends on the AD to which you have logged on. I feel there is more stuff waiting there. Just waiting for me to access it. Of course, SAMBA plays a role here. But, to me, it is all a bit diffuse and too full of jargon to know where to proceed. One example usage: After logging in to AD, can I have access to my home directory no matter where I am? Obviously I can set this sort of thing up in Linux with a linux login. But what can be done with an AD login? Remember that I can log in to a Linux machine via AD without a previous account on that machine. It is created on-the-fly. How can I get the AD login to make available the user's home directory as defined in the AD? I do not know that AD calls it a home directory. But there is usually a common storage area defined for each user. Another example (veering off thread topic- I think...): Our business as a whole uses Windows and AD. Except for those in my group who use openSUSE. The things that I see that are interesting are perhaps not really related to AD. But, I cannot know that as I do not use AD. For example, when a Windows user logs in, it is determined (1) which printers they are authorized to use and (2) their default printer queue is set to access the one closest to their location. This works company-wide as one zips about with their laptop. Printouts seem to pop out of the printer just down the corridor. No matter in which corridor you find yourself. Is this location service in any way related to AD. I do not necessarily mean the printer stuff - it is just a concrete example. But what else could be set up on Linux based on info in the AD? For a while our company used the Novell login. I was using the Novell Linux Client to try to get access to things the Novell login made available. The company have dropped the Novell client and now all is in AD. Of course, if you cannot change an expired password, there could be issues with

One simple example: open firefox and try to access outlook web access. If you did all right you got a TGT - check this with the klist tool after login - and this allows you to get a particular service ticket.

We did many presentations regarding this in the last years. Maybe we have to tape a short one again at the upcoming openSUSE conference.

Which is btw a good place to kick several Samba guys in their lazy back side. :)

Thanks.

Lars

Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Fri, 2011-08-05 at 14:18 +0200, Lars Müller wrote:

On Fri, Aug 05, 2011 at 01:30:10PM +0200, Roger Oberholtzer wrote: [ 8< ]

...

One example usage: After logging in to AD, can I have access to my home directory no matter where I am? Obviously I can set this sort of thing up in Linux with a linux login. But what can be done with an AD login? Remember that I can log in to a Linux machine via AD without a previous account on that machine. It is created on-the-fly. How can I get the AD login to make available the user's home directory as defined in the AD? I do not know that AD calls it a home directory. But there is usually a common storage area defined for each user.

pam_mount

But how do I find/specify, in the context of pam_mount, the name of the place to mount that was stored in the AD info? (Related to mu 'dumb question' below.)

...

Another example (veering off thread topic- I think...): Our business as a whole uses Windows and AD. Except for those in my group who use openSUSE. The things that I see that are interesting are perhaps not really related to AD. But, I cannot know that as I do not use AD. For example, when a Windows user logs in, it is determined (1) which printers they are authorized to use and (2) their default printer queue is set to access the one closest to their location. This works company-wide as one zips about with their laptop. Printouts seem to pop out of the printer just down the corridor. No matter in which corridor you find yourself. Is this location service in any way related to AD.

It is. It's done via a mix of LDAP, DNS, and group policy settings. And here starts the painfull part of the integration. With Samba and winbind we're only retrieve/ pull the information and store it locally - in a ini file IIRC. This information needs to get parsed and passed to the applications. This is the missing link.

Interesting. What INI file?

What I have in mind since quite some time is to identify the top five settings we like to get and somehow store in a local config file. The first attempt/ approach doesn't need to be perfect.

I like the sound of that. Here is probably a dumb question: Since I have been authenticated against the AD, what command on Linux could I type to see what information is available in the AD? That is, how can I explore this information? Presumably since one is already authenticated via AD it should be possible to access it with existing information? Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Thu, Aug 04, 2011 at 04:57:34PM -0500, Sunny wrote:

On Thu, Aug 4, 2011 at 3:39 PM, Lars Müller wrote:

...

On Thu, Aug 04, 2011 at 08:19:31AM -0500, Sunny wrote:

...

I have opensuse Thumbleweed as a member od windows AD domain. It started showing password expiration notice.

- KDM or GMD? - When did it started to work?  "I moved from the plain KDE version is part of openSUSE 11.4 to ..."

Its KDM, I'm unsure what you mean by "when did it started to work".

Dude, you wrote "It started showing password expiration notice." and therefore I guessed this never worked before. But from your last mail I'm now sure you've never seen it before. Never mind.

It was always working - i.e. logging with a domain user/pass. It's just a company policy that passwords expire, and I need to change mine.

Well, and if that happen "passwords expiration" then the display manager _must_ inform you. And this worked in the past. We have tested this heavily as we have huge deployments which are using this feature.

...

...

What is the opensuse way to change my password for the domain?

Both display managers (kdm/ gdm) had been able to handle this quite well.  If this doesn't work any longer please file a bug report.

I.e. you mean - when I try to login, and it no longer let's me in, I can change the password from the login screen?

Yepp. Very, very close to the way a Microsoft domain member handles it.

Or the KDM has somewhere option to change password - I could not find it, that's why I ask.

KDE and Gnome guys: Help! Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany