AD joined Ubuntu 20.04 allows expired password logon

Asked by ibmthinkpad770x on 2021-03-12

I have Ubuntu 20.04 domain joined in a test-lab environment. I have tried multiple domain join methods with the same result including the official Ubuntu documentation. The problem is even if a user is set to change their password upon logon via Windows active directory the expired password still allows the user to log into Ubuntu. How can I prevent a user with an expired password from logging on? How do I force them to change the password on the logon screen?

Question information

Language:
English Edit question
Status:
Open
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Bernard Stafford (bernard010) said : #1

Did you try: -e, --expire
           Immediately expire an account's password. This in effect can force a user to change
           his/her password at the user's next login. As Superuser.
https://manpages.ubuntu.com/manpages/focal/man1/passwd.1.html

ibmthinkpad770x (srgtlord) said : #2

I just tried the suggested method and received the following

sudo passwd -e testuser

passwd: user 'testuser' does not exist in /etc/passwd

I looked around and the command passwd DOMAIN\\username allows me to change the Domain account password from within an Ubuntu terminal once logged in.

passwd TESTDOMAIN\\testuser
Changing password for TESTDOMAIN\testuser
(current) NT password:
Enter new NT password:
Retype new NT password:
passwd: password updated successfully

However this still does not solve the issue with a user being able to logon with an expired password

How did you join the domain please?
What steps did you take?

ibmthinkpad770x (srgtlord) said : #4

I have tried multiple domain join methods. At the moment Ive been using a configuration script to quickly spin up test clients. Here are the steps I used with comments on each step

#hostname rename

#!/bin/bash
echo Please enter new hostname
read hostrename
sudo hostnamectl set-hostname $hostrename &&
sudo rm -f /etc/hosts
sudo cat > /etc/hosts << EOF
127.0.0.1 localhost
127.0.1.1 $hostrename.TESTDOMAIN.INC $hostrename

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

EOF

#install needed packages

sudo apt-get install bind9-dnsutils &&
sudo apt-get install ntpdate &&
sudo apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind &&

#remove and create krb5.conf with specific variables
sudo rm -f /etc/krb5.conf
sudo cat > /etc/krb5.conf << EOF
[libdefaults]
        default_realm = TESTDOMAIN.INC

        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        TESTDOMAIN.INC = {
                kdc = DC01.TESTDOMAIN.INC
                admin_server = DC01.TESTDOMAIN.INC
        }

[domain_realm]
        TESTDOMAIN = TESTDOMAIN.INC
        .testdomain.inc = TESTDOMAIN.INC

EOF

#remove and create samba files with specific variables

sudo rm -f /etc/samba/smb.conf &&
sudo cat > /etc/samba/smb.conf << EOF
[global]
workgroup = TESTDOMAIN
realm = TESTDOMAIN.INC
security = ADS
dns forwarder = 10.0.0.218
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
EOF
break

#restart services

sudo systemctl restart winbind smbd nmbd

#home directory enablement

pam-auth-update --enable mkhomedir

#nssswitch removal and modification to enable domain accounts

sudo rm -f /etc/nsswitch.conf
sudo cat > /etc/nsswitch.conf <<EOF
passwd: files systemd winbind
group: files systemd winbind
shadow: files winbind
gshadow: files winbind

hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
EOF
echo done

Since this is a test environment I manually added my DNS server in Network manager

After the configuration script I tested authentication with the following domain account:
kinit administrator

After the configuration script I manually joined with the following line:

sudo net ads join -U administrator

This joined the system to the Windows Domain TESTDOMAIN.INC with working DNS

Upon reboot I tested logon with user domain accounts

ibmthinkpad770x (srgtlord) said : #5

I just created another VM using the official Canonical whitepaper published November 2020:
"Integration of Ubuntu Desktop with Microsoft Active Directory"

The deviations I made were lack of NTP setup as the entire domain is virtual and the hostname script I created

 hostname script:

#!/bin/bash
echo Please enter new hostname
read hostrename
sudo hostnamectl set-hostname $hostrename &&
sudo rm -f /etc/hosts
sudo cat > /etc/hosts << EOF
127.0.0.1 localhost
127.0.1.1 $hostrename.LORD.INC $hostrename
EOF

sudo apt install sssd-ad sssd-tools realmd adcli

realm discover TESTDOMAIN.INC

sudo realm join TESTDOMAIN

Now I have the opposite problem where the user with an expired password receives no prompt and is denied logon

At this point Ubuntu should be prompting the user to reset the password but it is not in 2 different Domain join scenarios. There seems to be a bug in how expired AD account passwords are handled by Ubuntu

ibmthinkpad770x (srgtlord) said : #6

I realized I had a typo in the above steps. Here are the corrected steps:

hostname script:

#!/bin/bash
echo Please enter new hostname
read hostrename
sudo hostnamectl set-hostname $hostrename &&
sudo rm -f /etc/hosts
sudo cat > /etc/hosts << EOF
127.0.0.1 localhost
127.0.1.1 $hostrename.TESTDOMAIN.INC $hostrename
EOF

sudo apt install sssd-ad sssd-tools realmd adcli

realm discover TESTDOMAIN.INC

sudo realm join TESTDOMAIN

ibmthinkpad770x (srgtlord) said : #7

I realized I had a typo in the above steps. Here are the corrected steps:

hostname script:

#!/bin/bash
echo Please enter new hostname
read hostrename
sudo hostnamectl set-hostname $hostrename &&
sudo rm -f /etc/hosts
sudo cat > /etc/hosts << EOF
127.0.0.1 localhost
127.0.1.1 $hostrename.TESTDOMAIN.INC $hostrename
EOF

sudo apt install sssd-ad sssd-tools realmd adcli

realm discover TESTDOMAIN.INC

sudo realm join TESTDOMAIN

Bernard Stafford (bernard010) said : #8

Could this be of some help?
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
If not reopen question.

ibmthinkpad770x (srgtlord) said : #9

After a few trials I think i should have labeled the issue "unable to reset Domain Account password from logon screen" which seems to be the common theme regardless of what domain join method I have used. After some google searching it looks like there are other people who have ran into the password reset issue on ubuntu before and there is no documented solution. However it appears opensuse has been able to accomplish this https://doc.opensuse.org/documentation/leap/security/html/book.security/cha-security-ad.html

ibmthinkpad770x (srgtlord) said : #10

I did'nt solve my issue but I did find a workaround. Ubuntu 18.04 and the SSSD domain join method works correctly with the Windows active Directory password management. I opened a bug report for the issue

https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1919320

Can you help with this problem?

Provide an answer of your own, or ask ibmthinkpad770x for more information if necessary.

To post a message you must log in.