[Samba] Windows users can't change password 4.1.6

Marc Muehlfeld mmuehlfeld at samba.org
Tue Jan 27 12:01:41 MST 2015

Hello James,

Am 27.01.2015 um 19:23 schrieb James:
> This happens to me as well. Over several different versions of Samba.
> It's a minor nuisance on my end. Basically the following
>  * User is prompted to change password
>  * User types old password along with new password twice.
>  * User is prompted with the error message 'unable to change password.
>    doesn't meet the complexity blah blah blah'.
>  * It will then prompt for old password along with new password.
> The password change actually succeeds. That's why the user receives a
> message about the old password not being correct. I have the user
> restart their workstation and have them log in with the password they
> just created. Sometimes they will need to choose other user and type
> their username and password and not use the last logged on user prompt.

I can't reproduce this here in my test environment on 4.2.0rc4 from a
Win7 64-Bit Pro workstation:

I used the following settings:
# samba-tool domain passwordsettings  show
Password informations for domain 'DC=samdom,DC=example,DC=com'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 8
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

For one user I marked "User must change password on next logon" in ADUC
and for a second one, I set pwdLastSet to May last year. Both users had
a initial password that met the complexity settings (aa-bb123).

Then I logged on with both. Windows told me, that the password has to be
changed. I tried to set it to 'password' which fails, because of the
complexity rule. Then I entered the old password (aa-bb123) and twice a
new one (yy-zz123) and the password change was done. On a second logon
try the new password worked.

I also tried just to set it to 'password' (what fails because of missing
complexity) and then went back to the login screen. But the password for
the next login was still 'aa-bb123' - so it wasn't set.

If this weren't the steps you did, please give me a step by step example.


More information about the samba mailing list