This is my understanding too, but I'm hoping there is a workaround to this. Seems like login to RHEL-servers don't work when the user is expected to change their passwords (either because the password has expired, or when one checks the "User must change password on next logon" in AD). - Kenneth On Mon, Apr 19, 2010 at 3:09 PM, Mike Burger <mburger@xxxxxxxxxxxxxxxxx>wrote: > My understanding is that they need to change it from the AD/Windows side. > > > Hi all. > > > > > > I've got my RHEL-server to autenticate against Active Directory, and > > things > > are looking good. I have one small issue maybe someone here know how to > > fix: > > When a users password expires the user must be able to change it. Nomally > > a > > users would be allowed to log in based on the current password, be she > > would > > be promted for a new password following the login. In the current setup > > where my linux servers autheticate against AD, the users whose password > > have > > expired are simply locked out from the server. Is there a way to tune > > linux > > to allow login, but have the users change password on login? > > > > > > - Kenneth > > > > > > On Wed, Jan 27, 2010 at 2:39 PM, s u p e r n a u t > > <supernaut@xxxxxxx>wrote: > > > >> I've used this in the past to good effect with RHEL5.3 and W2K3. I'm > >> sure > >> you'll have to make adjustments with W2K8, but it may be a good starting > >> point. > >> > >> > >> > http://www.interopsystems.com/downloads/Native_LDAP_native_Kerberos_and_AD_services.pdf > >> > >> > >> > >> ----- Original Message ----- From: "Kenneth Holter" > >> <kenneho.ndu@xxxxxxxxx > >> > > >> To: "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx> > >> Sent: Wednesday, January 27, 2010 7:58 AM > >> Subject: Re: Configuring RHEL servers to authenticate with Windows > >> Server > >> 2008Active Directory > >> > >> > >> Thanks for your reply. > >>> > >>> I would like the account and group information to be maintained in AD. > >>> Possibly later on we'll implement kerberos too. > >>> > >>> > >>> - Kenneth > >>> > >>> On Tue, Jan 26, 2010 at 5:32 PM, Marti, Robert <RJM002@xxxxxxxx> > wrote: > >>> > >>> If you just care about authentication and not accounts, I'd set up > >>>> kerberos > >>>> auth - much easier. I have no experience setting up LDAP auth, sorry. > >>>> > >>>> Rob Marti > >>>> ________________________________________ > >>>> From: redhat-list-bounces@xxxxxxxxxx [redhat-list-bounces@xxxxxxxxxx] > >>>> On > >>>> Behalf Of Kenneth Holter [kenneho.ndu@xxxxxxxxx] > >>>> Sent: Tuesday, January 26, 2010 10:17 > >>>> To: redhat-list@xxxxxxxxxx > >>>> Subject: Configuring RHEL servers to authenticate with Windows Server > >>>> 2008 > >>>> Active Directory > >>>> > >>>> Hello all. > >>>> > >>>> > >>>> I'd like to set my RHEL 4 and 5 servers up to authenticate with our > >>>> Windows > >>>> server 2008 Active Directory. Using "authconfig --update --enableldap > >>>> --enableldapauth > >>>> --ldapserver=ldap.example.com--ldapbasedn=dn=example,dn=com" > >>>> and adding "binddn" and "bindpw" to the /etc/ldap.conf file, it looks > >>>> like > >>>> the linux box is connecting correctly to the AD server. But running > >>>> "getent > >>>> passwd <some-linux-user-defined-on-AD>" doesn't return any result. > >>>> > >>>> I'm suspecting that maybe it's my nss_ldap attribute mappings that are > >>>> not > >>>> correct. I have no attribute mapping defined, since I would think that > >>>> there > >>>> would be some default mappings that would work. Are there any default > >>>> mapping, and in case what are they? Or maybe "authconfig" set up these > >>>> mappings automatically? Any advice is appreciated. > >>>> > >>>> Best regards, > >>>> Kenneth Holter > >>>> -- > >>>> redhat-list mailing list > >>>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > >>>> https://www.redhat.com/mailman/listinfo/redhat-list > >>>> > >>>> -- > >>>> redhat-list mailing list > >>>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > >>>> https://www.redhat.com/mailman/listinfo/redhat-list > >>>> > >>>> -- > >>> redhat-list mailing list > >>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > >>> https://www.redhat.com/mailman/listinfo/redhat-list > >>> > >>> > >> > >> -- > >> redhat-list mailing list > >> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > >> https://www.redhat.com/mailman/listinfo/redhat-list > >> > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > -- > Mike Burger > http://www.bubbanfriends.org > > Visit the Dog Pound II BBS > telnet://dogpound2.citadel.org or http://dogpound2.citadel.org > > To be notified of updates to the web site, visit: > > https://www.bubbanfriends.org/mailman/listinfo/site-update > > or send a blank email message to: > > site-update-subscribe@xxxxxxxxxxxxxxxxx > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
