[Samba] Users/admin unable to reset passwords

[Rowland Penny]

On Mon, 22 Apr 2024 08:56:41 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> New related issue.
> 
> I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90 days
> ago, and set the 'Maximum password age' to 90 days. Today, two of the
> users' passwords were expired when they tried to log in this morning.
> They got the messaage that their password was expired and to change
> it, but when doing so they keep getting "your password has expired." 
> 
> I've reset 3 people's passwords so far today. This worked without
> problem on 4.8.2. Yes, they did get the Windows notice that their
> password was expiring in x days, but they didn't act on that.
> 
> Any idea how to fix this? 
> 
>

When setting a users password The basic command is
'samba-tool setpassword <username>', to which you can add the new
password with '--newpassword=passw0rd'. If you do not supply a
password, you will be prompted for it (twice). You can also add
'--must-change-at-next-login', which is supposed to make the user
change their password at the next logon.

How does the '--must-change-at-next-login' switch work ?
If the switch is set, it just sets the users 'pwdLastSet' attribute to
'0', at which point, the Windows code should kick in and prompt the
user to change their password, then set the users 'unicodePwd'
attribute to basically a base64 hash of the supplied password and
resets the users 'pwdLastSet' attribute to the date and time that the
password was changed. 

I suggest you set a test user to change their password at next login
and then check the users 'pwdLastSet' attribute, it should contain '0'.
Next, attempt to logon as the user and when prompted, change the
password, if this works, OK, but if not, check the users 'pwdLastSet'
attribute again, what does it contain now ?

Rowland