[CentOS] Password Must Change using SSSD in Samba 4.1.10

Wed Jan 7 10:19:18 UTC 2015
Ashish Yadav <gwalashish at gmail.com>


I am trying to implement the *password must change at next logon* in CentOS
6.5 client using sssd 1.11.6 where Samba 4.1.10 is my backend server.

Here are the list of things which I have done,

1. I have setup the CentOS to do the Domain login using sssd service. I can
able to login into the CentOS client using Domain user's credentials from
and from SSH also, no problem at all.

2. Next thing which I want to implement is that password must change
feature into Samba 4.1.10 server. To do that, I have been using Windows 7
which is already in Domain and I am using RSAT tools for users and groups
where I have a option to check "password must change at next logon" option
for particular user.
After doing that Windows machine is honoring this and telling user to
change the password and allowing user to login after changing the password.

3. As far as the CentOS client is concerned, it was not honoring the
password must change and allowing user to login without asking for password
change using sssd with current password.

Here is the configuration file of sssd service,

config_file_version = 2
services = nss, pam
domains = EXAMPLE
sbus_timeout = 30

filter_users = root
filter_groups = root
reconnection_retries = 3

reconnection_retries = 3
offline_credentials_expiration = 0

entry_cache_timeout = 600
entry_cache_group_timeout = 600
min_id = 1000
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_schema = rfc2307bis
ldap_uri = ldap://smbad.intra.example.com:390/
ldap_search_base = dc=intra,dc=example,dc=com
cache_credentials = true
krb5_server = smbad.intra.example.com:8880
krb5_realm= INTRA.EXAMPLE.COM <http://intra.example.com/>

ldap_default_bind_dn = cn=admin,dc=intra,dc=example,dc=com

ldap_default_authtok_type = password
ldap_default_authtok = 6pNEn7Eo3zmz9MxciGLx

4. I have also tried to achieve above thing using command line tool
"pdbedit" but without any luck. Here is the link <
which I have followed.

Please share your thoughts in order to help me and move forward to solve
this problem.

Thanks very much and regards,
Ashishkumar S. Yadav