[Samba] Samba AD DC: users cannot change expired passwords
Kees van Vloten
keesvanvloten at gmail.com
Mon Sep 25 11:19:36 UTC 2023
Op 25-09-2023 om 11:54 schreef Pluess, Tobias via samba:
> Hi all,
> I am running a Samba AD DC (version 4.18.6). It basically works very well.
> However when testing, I found the following issue:
>
> I create a new user account in AD, provide an initial password and set
> "user must change the password at the next login".
> I have only a Windows 10 machine to test, so I am going to the Windows 10
> machine and try to login with the newly created user account and initial
> password. Windows then correctly display "the password is expired" and
> provides a dialog to enter the new password. However when the new password
> is entered and confirmed with "OK", I get again the message "the password
> is expired". No matter what, I cannot get around this message and the newly
> created user is never able to log in.
> Further, what is even more strange is, that I can even get the message
> about the expired password when I enter something completely different than
> the initial password. I can essentially enter anything, even a blank
> password, and get the message "the password is expired" and I am never
> able to change it.
>
> Only when I log in as the domain admin, I can reset the user's password.
>
> I already changed password history and min-password-age and so on to 0, but
> it still does not yet work. However, luckily, users are able to change
> their own password using ctrl+alt+delete. However, why does it not work
> during login?
>
> I have already seen other people had similar issues on Windows 10, but I
> didn't find out if anybody ever found a solution to this problem.
>
> I am happy for any hints.
>
> Thanks,
> best
> Tobias
I have experienced exactly the same issue (also on 4.18.6). Even with
kinit on Linux you cannot change an expired password.
- Kees.
More information about the samba
mailing list