Samba AD DC Password Expiry problem

[Rowland Penny]

On Fri, 03 May 2019 18:58:49 +0300
Izzet Aydın via samba-technical <samba-technical at lists.samba.org> wrote:

> Hello everyone,
> 
> I am trying to force a user to change his password at login screen, ( 
> test2 is the username ) with the following command
> 
> samba-tool user setpassword test2 --must-change-at-next-login
> 
> Client computer is configured and joined to domain. However, when i
> try to login in lightdm, i see the following line in auth.log
> 
>   pam_winbind(lightdm:auth): request wbcLogonUser failed: 
> WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHTOK_EXPIRED (27), NTSTATUS: 
> NT_STATUS_PASSWORD_EXPIRED, Error message was: Password expired
> 
> but the user is still able to login.
> 
> If i configure another client computer with gnome interface, i get
> the same auth.log message, but in this case i see the password
> expired message in gdm. Yet no user password change interrupts
> appears.
> 

This very probably has nothing to do with Samba, there is a grace
period that will allow the old password to work, but your login manager
should deal with this. It should prompt the user to change their
password, so I think you need to put your question to whomever
produces your login manager.
 
> 
> /etc/samba/smb.conf
> [global]
> realm = test.local
> workgroup = TEST
> security = ads
> password server = xxx.xx.xx.xx
> security = ads
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template shell = /bin/bash
> winbind use default domain = yes
> winbind offline logon = false

What I can point out to you is, your smb.conf is incorrect, it uses
extremely old settings (the idmap lines) and things that shouldn't be
set (password server), can I suggest you read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Can I also point out that you should really ask questions like this on
the samba mailing list.

Rowland