[Samba] Samba AD DC: users cannot change expired passwords

Pluess, Tobias tpluess at ieee.org
Mon Sep 25 11:48:21 UTC 2023 

Indeed,

I have exactly the same behaviour. I just tested what happens when I try to
run kinit first.
kinit itself works fine, but it does not help with the expired passwords
problem.


On Mon, Sep 25, 2023 at 1:20 PM Kees van Vloten via samba <
samba at lists.samba.org> wrote:

>
> Op 25-09-2023 om 11:54 schreef Pluess, Tobias via samba:
> >   Hi all,
> > I am running a Samba AD DC (version 4.18.6). It basically works very
> well.
> > However when testing, I found the following issue:
> >
> > I create a new user account in AD, provide an initial password and set
> > "user must change the password at the next login".
> > I have only a Windows 10 machine to test, so I am going to the Windows 10
> > machine and try to login with the newly created user account and initial
> > password. Windows then correctly display "the password is expired" and
> > provides a dialog to enter the new password. However when the new
> password
> > is entered and confirmed with "OK", I get again the message "the password
> > is expired". No matter what, I cannot get around this message and the
> newly
> > created user is never able to log in.
> > Further, what is even more strange is, that I can even get the message
> > about the expired password when I enter something completely different
> than
> > the initial password. I can essentially enter anything, even a blank
> > password,  and get the message "the password is expired" and I am never
> > able to change it.
> >
> > Only when I log in as the domain admin, I can reset the user's password.
> >
> > I already changed password history and min-password-age and so on to 0,
> but
> > it still does not yet work. However, luckily, users are able to change
> > their own password using ctrl+alt+delete. However, why does it not work
> > during login?
> >
> > I have already seen other people had similar issues on Windows 10, but I
> > didn't find out if anybody ever found a solution to this problem.
> >
> > I am happy for any hints.
> >
> > Thanks,
> > best
> > Tobias
> I have experienced exactly the same issue (also on 4.18.6). Even with
> kinit on Linux you cannot change an expired password.
>
> - Kees.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list