Forums

Resolved
0 votes
So, this may be long winded. I have a ClearOS installation with Directory and Windows (essentially domain) services, RADIUS, and other services (don't think they're necessary to list - could be wrong). I customized the password policy to (among other options) expire in 60 days, 15 characters, and custom password history. I have recently had my first expiry. The username attempted to authenticate to a network device (router) using RADIUS and repeatedly got "invalid username or password". Running radiusd in debug mode, I noticed the message stating the user's password was expired. Unless I had seen that, I would never have known we were at the end of the the expiration timeout. Logged into the web GUI with that user's current credentials with no problem and again, with no notice about expired password (I thought quite odd). Went to that user's profile and typed the old password, a new password and confirmed it. Once "Update" button was pressed, I got "Invalid current password" notification. I logged out and back in to verify I had the password right - I did. I used an LDAP browser program with the "Directory" BaseDN and related information to bind to the LDAP server, changed the password and the user was able to login with the new password. Not at all how this should be done. I thought maybe since the password was expired might be the reason why I couldn't change it from the user's profile so I tried to change it to something different. Same error message about invalid current password. I then logged into SSH with that same user's known valid credentials and typed "passwd". A prompt came up asking for the current password (as expected - typed it), new password (entered one meeting complexity requirements) and confirm (I typed the same password again). After, it displayed a message on the CLI stating
password change failed: Constraint violatoin

passwd: Authentication token manipulation error

The hard part here is I have to have this working in some manageable way. This is being deployed in an environment (as a sort of set and forget thing) and has to have the password complexity requirements, expiration settings, and usability of a normal LDAP setup but I have no idea where to start looking to try to troubleshoot or fix it. All packages are currently up to date and, to make things more difficult, this is an air-gapped system, so updates are going to be increasingly difficult to manage, obtain, or install.
Wednesday, May 02 2018, 09:19 PM
Share this post:
Responses (15)
  • Accepted Answer

    Wednesday, October 17 2018, 07:51 AM - #Permalink
    Resolved
    0 votes
    @Dustin,
    Bumping this thread as I have just found it again in another search.

    If you look at this forum sticky, you now no longer have to use Enable "Windows 10 Domain Logons" for client PC's to join the ClearOS domain. All that setting did is restrict the protocol to SMB1. If you don't enable it, SMB2 and SMB2 will be used. You can even go as far as setting "min protocol = SMB2", so you can pass your STIG requirements.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, May 07 2018, 07:49 PM - #Permalink
    Resolved
    0 votes
    I think you have to be wary of terminology here. As far as I am aware, here Domain refers to the Windows Domain in Webconfig > Server > File > Windows Networking (Samba). This seems to always be capitalised and I think is (or used to be) restricted to 15 characters. If also becomes the Workgroup in simple filesharing mode. The other domain is the Default Domain in Webconfig > Network > Settings > IP Settings and they are not related. If you do an nslookup or ping with a simple name, dnsmasq tries appending the Default Domain to it to see if that will resolve as well. If you don't want this behaviour when you do a ping or nslookup, you need to add a "." to the end of the device names e.g "ping mini-1." and not "ping mini-1". For my Default Domain I use my public domain name howitts.co.uk. There is no requirement to do so, I just do. For my Domain in Samba I have left it as default so it is CLEARSYSTEM.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, May 07 2018, 07:32 PM - #Permalink
    Resolved
    0 votes
    I'm wondering if part of my configuration isn't to blame here or something. It's strange (to me) that for the directory server I can set "domain.local" but for the SAMBA configuration, I have to enter "domain" only. And I assumed before that nothing was case sensitive but now that I'm seeing some things, I'm wondering if that isn't partially to blame also. For some reason, my LDAP domain was setup as "domain.local" even though I had specified "DOMAIN.LOCAL" when I set everything up. The SAMBA configuration, on the other hand, automatically and exclusively goes in all caps and will not allow you to set it to "DOMAIN.LOCAL", only to "DOMAIN". When I did an nslookup for the hostname of the COS box, it kept coming back with "query refused". I've now deduced that "query refused" is the default response given to a query for an object the COS box doesn't know (e.g. I nslookup "hostname" and it appends ".domain" - not ".domain.local" - which the COS box knows nothing about). Why an nslookup command appends a ".domain" suffix and not the entire suffix ".domain.local" I have no idea. I altered the network settings to properly append ".domain.local" as the DNS suffix so nslookup works fine. But I've scoured everything posted on this thread and everything I can on the internet, I still have the error message popping up saying the domain controller is not accessible. I'm leaving for Germany in 4.5 hours and have NO RESOLUTION to this issue....sucks.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, May 05 2018, 08:28 AM - #Permalink
    Resolved
    0 votes
    Reading around and looking at posts like this and this, without "max protocol" being set I get:
    testparm -v | grep protocol
    <snip>
    </snip>
    client ipc max protocol = default
    client ipc min protocol = default
    client max protocol = default
    client min protocol = CORE
    server max protocol = SMB3
    server min protocol = LANMAN1
    So it is defaulting to a max of SMB3. If you have some sort of STIG requirement, can it be fixed by using "smb min protocol"? See the last post in the second link for possible values. Perhaps a "min protocol = SMB2" will give you what you want, but I have not played around with it to see if domain logins still work.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, May 04 2018, 02:28 PM - #Permalink
    Resolved
    0 votes
    So, STIG's prevent the use of SMB < v2 so I had
    protocol = SMB2
    in the configuration (funny, I scoured the configs throughout this problem and never thought it would be security that would prevent things from working correctly). I had enabled that security feature in COS, initially, because connecting to shares from the Windows system indicated that it wouldn't allow the connection because the security settings required a higher SMB protocol. Disabled that option and I can almost login to the domain-joined workstation. Problem is, now I get an error message "Not enough free space to process the request". I've gone through and set back to default all the SMB related LGPO's. Nothing. I'm so frustrated because of how close I am but still not there. And I don't know what I'm going to do or how I'm going to explain that I can't meet all these requirements for STIG's.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, May 04 2018, 11:28 AM - #Permalink
    Resolved
    0 votes
    Am I p****d off. For years in simple server mode I'd been running with:
    max protocol = SMB2
    The original intention was to allow Windows (7 or XP, I can't remember) to use a higher protocol for greater efficiency.

    Anyway, to cut a long story short, I've removed the setting, restarted Samba and immediately logged in with my domain user - nearly 2 days of self-induced problems. :(
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 03 2018, 09:19 PM - #Permalink
    Resolved
    0 votes
    Yeah, let me know how that goes...I'm curious. I'm still stuck on this issue with Windows client "We can't sign you in with this credential because your domain isn't available". The more I analyze and think about it, I don't think mine is DNS related. Although I still can't do an "nslookup" of any of the 3 (yes only 3) systems in the domain (1 is PDC, 1 is BDC and the last is the client), I can ping "hostname" of any 3 system and it will return an IP and provide ping response (and shows the FQDN at the top of the process). I think it's more that something isn't running or allowing some level of communication separate from (but possibly related to) DNS availability. Like I said, RSAT tools will flat not connect (not bad username/password or other errors). It just says the server is not operational. So frustrating. And all this on top of the main issue, being no notification of expired passwords in any way. If it weren't for the password expiry issue (more like lack of notification of password expiry), I wouldn't even be going down this road. I was not planning on joining the workstation to the domain (for simplicity). This is a very specific application that requires strict security on user accounts, password complexity, password history, remembered passwords, and password expiration or I would abandon most of this. Initially it was going to be just a Syslog server with access to the logs. It evolved into Windows shares to access the logs with group specific permissions and the rest. IDK. I'm disappointed we're the only 2 who seem to have this problem. And I've also tried a new stand-up of ClearOS to rule out playing with config files being the problem.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 03 2018, 08:23 PM - #Permalink
    Resolved
    0 votes
    From reading around, I am wondering if the domain name needs to resolve by DNS. I can't test until tomorrow but I will try adding the domain_name to the hosts file and also, possible, domain_name.default_domain so, for me, CLEARSYSTEM.howitts.test.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 03 2018, 07:16 PM - #Permalink
    Resolved
    0 votes
    So I've got the proper RSAT installed but I'm still unable with any of those tools (Active Directory Users and Groups, ADSI Edit, DNS Manager, etc) to contact or manage the DC that is the ClearOS box. I'm working with an air-gapped network, all static IP's (no DHCP) but I don't think that would have anything to do with it. I see in the COS box where the domain-joined system appears in the list of DNS entries (weird thing is I can ping a DNS name - after receiving a response from the COS box - with no problem but if I do an nslookup, it gets a query refused response from the COS box). I still think it has something to do with DNS but I don't know what or where. The bad part is, this is partially production setup and has to work. I've got no choice now. I'm just stuck here and I'm going out of town to finish implementation of this box.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 03 2018, 05:07 PM - #Permalink
    Resolved
    0 votes
    I'm not using WINS and, like you, I can ping by hostname and by FQDN with no problem. I suspect it may be related to DNS (SRV's specifically) but RSAT that I installed first, didn't have the DNS management. I'm trying to install the WS_2016 (recommended by MS) now which should (hopefully) have the DNS tools where I can actually look at some stuff.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 03 2018, 04:42 PM - #Permalink
    Resolved
    0 votes
    You seem to have the same issue as me with my desktop. I can join but not log in. On my laptop with a wired connection a few minutes ago I could not even join. It can't find the domain controller which is odd. I can ping it by its FQDN, it is working as the WINS server and DHCP is saying it is the WINS server so I am perplexed.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 03 2018, 04:32 PM - #Permalink
    Resolved
    0 votes
    So, I was able to join the domain with a Windows 10 Pro client (first time it error'd saying the computer wasn't in the domain but a second attempt worked). Problem is, now I can't login from the client PC (yes, even though it joined) with domain credentials. I tried domain\username and username with its corresponding password to no avail. The message says can't sign in because domain isn't available. Windows RSAT keeps saying the domain controller is "not operational". I'm not sure what to check with it either. DNS appears to be working as pings from client to server DNS/FQDN works.

    P.S. I only had to change the registry setting as detailed in some other posts ([HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters] and add a DWORD named DomainCompatibilityMode with the hex set to 00000001 and a second DWORD value DNSNameResolutionRequired with 00000000 for the hex data) to get the domain join to work.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 03 2018, 01:27 PM - #Permalink
    Resolved
    0 votes
    OK then your set up is more complex than I imagined. Does it make sense to have expiring passwords on headless devices like switches?

    If you change the password through an LDAP browser, are you also updating the datestamp of the last password change (sambaPwdLastSet?) or does your LDAP browser do that for you?

    If you do join a computer to the domain, I'l love some help. I tried my first join yesterday and have failed. I've made the registry changes, then go This PC > right-click > Properties > Change Settings > change to Domain = CLEARSYSTEM, enter windadmin/password > OK. This appears to work as I see the "Welcome to the CLEARSYSTEM domain" message and I reboot. Trying to log in with a test user I get "We cant sign you in with this credential because your domain isn't available .......". I've also tried through the Network ID wizard and Through Settings > Accounts > Access Work or School > Connect, and it is always the same.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 03 2018, 12:31 PM - #Permalink
    Resolved
    0 votes
    Sorry for the lack of details. The LDAP browser I'm using has the ability to hash the password when it inserts it into the database, so, yes, the password is correctly stored in the database. The RADIUS clients are Juniper switches and are using MSCHAPv2 but do not display a password expired message. I do not have any Windows OS's domain-joined to the directory (in fact, the only reason the Windows domain services are installed is to be able use the PDC/BDC roles). I plan on joining a machine today to see what options I might have extended in doing so. Also, I would have expected "passwd" to change the password for a user from the CLI because the user authentication mechanism is actually set to use LDAP as well as PAM and Linux doesn't complain that the username doesn't exist, just that error message I received when trying to change the password. And, frustratingly, the web GUI doesn't even indicate an expired password (RADIUS does, but only on the server when running in debug mode - or in the log files) when logging into it.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 03 2018, 10:05 AM - #Permalink
    Resolved
    0 votes
    As far as I am aware, you cannot use an LDAP browser to change the password as only a hashed value us stored there. Simmilarly passwd won't help as that changes a unix password and not one stored in LDAP. As an admin you can change anyone's password through the webconfig. As a user, I'm afraid I have no experience of expiring passwords as I don't use them. I would hope you'd be forced to change them when you next log in but I do see a catch 22 for Radius users in that they can't get their WiFi connection to log in to see their password has expired. Googling around suggests that mschap authentication should allow for expired passwords.

    Have you enabled the Group Policy option "Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options/interactive logon: Prompt user to change password before expiration"?

    I have been doing some investigations recently into Radius. Have you enabled it for domain logins? You need to uncomment the line ntdomain in /etc/raddb/sites-available/default and /etc/raddb/sites-available/inner-tunnel and also add the following to /etc/raddb/proxy.conf:
    # realm for ClearOS domain - replace CLEARSYSTEM with your Windows/Samba domain
    realm CLEARSYSTEM {
    }
    The reply is currently minimized Show
Your Reply