[Samba] Samba4 and Windows 7 password change

Daniel Müller mueller at tropenklinik.de
Thu Sep 9 13:06:41 MDT 2010

On Thu, 09 Sep 2010 19:22:37 +1000, Andrew Bartlett <abartlet at samba.org>
> On Wed, 2010-09-08 at 22:07 -0500, Philip M. White wrote:
>> Hi, all,
>> With the latest Samba4, I am not able to change a user's password via
>> Windows 7.
>> I was able to successfully set a password from within RSAT's Users
>> adding a new user, but that user cannot change his own password.
>> When I try, Windows 7 tells me that the server rejected the password
Hi in Samba4 you need:

Password Policy Settings!! 

Along with Samba4 the Password Policy you can only set from console, with 
'net  pwsettings ' command. 
net  pwsettings  –help: 

usage: (show | set <options>) 

  -h, --help            show this help message and exit 
  -H H                  LDB URL for database or target server 
  --quiet               Be quiet 
                        The password complexity (on | off | default).
                        is 'on' 
                        The password history length (<integer> | default).

                        Default is 24. 
                        The minimum password length (<integer> | default).

                        Default is 7. 
                        The minimum password age (<integer in days> | 
                        default).  Default is 1. 
                        The maximum password age (<integer in days> | 
                        default).  Default is 43. 

  Samba Common Options: 
    -s FILE, --configfile=FILE 
                        Configuration file 
    -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL 
                        debug level 
    --option=OPTION     set smb.conf option from command line 
    --realm=REALM       set the realm name 

  Credentials Options: 
                        DN to use for a simple bind 
    -U USERNAME, --username=USERNAME 
    -W WORKGROUP, --workgroup=WORKGROUP 
    -N, --no-pass       Don't ask for a password 
    -k KERBEROS, --kerberos=KERBEROS 
                        Use Kerberos 

  Version Options: 
    --version           Display version number 

So I set my Password Policy: 

net  pwsettings  set –--complexity=off 
net  pwsettings  set ---max-pwd-age=60 #<---60 Days 
net  pwsettings  set –min-pwd-length=5 

net  pwsettings  show: 

net pwsettings show 
Password informations for domain 'DC=mydomain,DC=my,DC=dom' 

Password complexity: off 
Password history length: 24 
Minimum password length: 5 
Minimum password age (days): 1 
Maximum password age (days): 60 

Then change your passwords in your windows7 client.


>> change because the new password doesn't meet the complexity/length
>> requirements.
>> On Samba's end, I see this:
>> Changing password of PMWWORLD\sue
>> (S-1-5-21-1802782687-180428704-2922416880-1106)
>> kpasswdd: Password must be at least 7 characters long, and cannot match
>> any of your 24 previous passwords
>> I get this regardless of what password I try.  For the record, I tried
>> Secret$1 and Secret$2, both of which meet the first condition and which
>> I've tried for the first time ever.
>> Can anyone confirm this behavior?
> That's an odd one. 
> Perhaps it's a minimum password age?
> Andrew Bartlett

More information about the samba mailing list